[Samba] samba3.0.1/win2000ad/kerberos5: user cannot logon

[Fred Mayer]

Hi everyone!
I've googled alot for this, and found *some* people with similar
questions, but there was no answer if this is a bug in samba, a
misconfiguration, or what?

I have a win2000 active directory Server (wurzel.baum.local), a samba
2.2.3a on debian stable/woody (stamm.baum.local), security = user, a
samba 3.0.1 on debian testing/Sarge (blatt1.baum.local) and a windowsxp
machine joined to the actice directory domain (blatt.baum.local).
It is a testing environment at a local switch. All IPs are static. DNS
is configured on "wurzel" forward and reverse. resolv.conf/nsswitch.conf
are configured to use the DNS of "wurzel", winbind is configured to map
the users and groups. kerberos5 is configured as described in the
samba3-Howto. All machines can ping by name and IP-address. "blatt1" is
the machine that makes trouble.
wbinfo -u, kinit administrator at BAUM.LOCAL, getent passwd work fine and
give the expected output (Userlist, ok, userlist)
setup of the samba 3.0.1 went just fine, net ads join went fine, users
on "blatt" could use the shares on "blatt1". After a reboot of all the
machines (testing environment, remember?) I can still see "blatt1" in
the network neighborhood of "wurzel" and "blatt", but no user can
connect, a password-dialog pops up that cannot be satisfied by any
user/password combination the win2000 server knows.
/var/log/samba/log.ipofblatt tells me:
[2004/01/12 10:57:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
[2004/01/12 10:57:47, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!

If anybody needs futher .conf data, please tell me and I post them.
Has anybody a clue what is wrong here?

Thanks,




-- 
Fred Mayer
www.onkeldata.de