[Samba] Windows 2003 AD/Kerberos Ticket error

Warbeck, Mark mwarbeck at vt.edu
Mon Jul 19 16:56:16 GMT 2004 

I'm attempting to configure Samba 3.0.4 to work with Windows 2003 Active
Directory, mapping users' home directories automatically. Currently we
use this method in production with Windows 2000 but wish to migrate to
2003. The problem seems to be Kerberos related. I was able to join the
Linux box (RedHat 9) to the AD. I can do a "kinit <username>"
successfully. Klist shows a valid ticket. When logging on to the W2K3
domain controller the mapping of the drive fails and the Samba log shows
the following:

smbd/sesssetup.c:reply_spnego_kerberos(174)
  Failed to verify incoming ticket!

This is my smb.conf file (I've removed comments):
****Begin File****
#======================= Global Settings 
[global]
   workgroup = w2k3
   netbios name = file-svr
   server string = Samba Server

   log file = /var/log/samba/smbd.log

   max log size = 50
   security = ads
   realm = W2K3.TEST

   client signing = Yes
   server signing = Yes
   client use spnego = Yes
   use spnego = Yes

  encrypt passwords = yes

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   local master = no

   dns proxy = no 

#============================ Share Definitions 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

****End File****

This is the krb5.conf (again, comments removed):

****Begin File****

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
  default_realm = W2K3.TEST
  default_tgs_enctypes = des-cbc-crc des-cbc-md5
  default_tkt_enctypes = des-cbc-crc des-cbc-md5
  forwardable = true
  proxiable = true

[realms]
 W2K3.TEST = {
  kdc = test-dc.w2k3.test
  admin_server = test-dc.w2k3.test
  default_domain = w2k3.test
 }

[domain_realm]
 .w2k3.test = W2K3.TEST
 w2k3.test = W2K3.TEST

****End File****

The following packages are installed:

samba-3.0.4-1
krb5-libs-1.2.7-14
krb5-workstation-1.2.7-14
krb5-devel-1.60-1
pam_krb5-1.60-1

The DNS servers are Windows 2000 SP4.

Thanks for any suggestions. I've set this at maximum points since I
really need to get it working.

Mark

--
Mark Warbeck
Systems Engineer
Engineering Science and Mechanics
Virginia Tech
323A Norris Hall
Mail Code 0219
Blacksburg, VA 24061
540.231.7489

More information about the samba mailing list