[Samba] 3.0.0 -> 3.0.1 upgrade causes "Failed to verify incoming ticket!"

Kevin P. Fleming kpfleming at backtobasicsmgmt.com
Thu Jan 1 04:32:58 GMT 2004

OK, I spent a bunch of time reviewing the mailing list from the last 
month, and I see where this was discussed quite a bit, but there was no 
conclusive resolution found (that I could find anyway).

I have a simple network: one machine running W2K3 Standard Edition, with 
AD active and in W2K compatibility mode, one machine running Linux with 
Samba 3.0.0/3.0.1, a number of W2K and WXP Pro workstations.

Samba is compiled against MIT Kerberos 1.3.1. There is no /etc/krb5.conf 
file at all (intentionally). I had no trouble using kinit to get a krb5 
ticket from the KDC, nor did I have any trouble with "net ads join". The 
Samba server shows up in Active Directory, reporting itself properly. 
There is no WINS server at all (only DNS is used for host name 
resolution). "client use spnego" and "use spnego" are both set to "yes". 
"klist -e" shows the ticket obtained by kinit as "skey" DES-CBC-CRC and 
"tkt" RC4-HMAC-MD5.

winbindd is running and libnss_winbind.so is in place and working 
properly; getent shows the AD users and groups with no problems. Time is 
synchronized between the machines (the Linux box is running ntpd, and 
the W2K3 box is using it as a time source).

With Samba 3.0.0 everything is cool and I can access the shares, 
security works properly, etc. Upgrading to 3.0.1 (compiled using the 
identical configure command) causes the workstations (and the AD DC) to 
no longer be able to connect to Samba shares; any attempt results in a 
username/password dialog box popping up, and no entry in that box will 
work. The workstations can connect to the Samba server by using the IP 
address, though, just not using browsing or the server name directly.

Looking at the Samba logs, "Failed to verify incoming ticket!" appears 
each time a workstation attempts to connect to a share when 3.0.1 is 

I have another problem to report against Samba, and I suspect it may 
have been fixed already in 3.0.1, but I can't use 3.0.1 without a 
resolution to this problem. Anyone have a suggestion?

More information about the samba mailing list