[Samba] Windows 2003 AD/Kerberos Ticket error

eric roseme eroseme at emonster.rose.hp.com
Mon Jul 19 17:59:09 GMT 2004


If you google for this you'll find a bunch of posts that pretty much 
explain everything.

In short, W2003 krb defaults to rc4-hmac, and does not allow enctypes. 
So take your enctypes out of krb5.conf and let it do rc4-hmac, or you 
can read Q833708 and get the hotfix to recognize enctypes.

I forget why the kinit works but the client logon does not.

Eric Roseme
Hewlett-Packard

Warbeck, Mark wrote:
> I'm attempting to configure Samba 3.0.4 to work with Windows 2003 Active
> Directory, mapping users' home directories automatically. Currently we
> use this method in production with Windows 2000 but wish to migrate to
> 2003. The problem seems to be Kerberos related. I was able to join the
> Linux box (RedHat 9) to the AD. I can do a "kinit <username>"
> successfully. Klist shows a valid ticket. When logging on to the W2K3
> domain controller the mapping of the drive fails and the Samba log shows
> the following:
> 
> smbd/sesssetup.c:reply_spnego_kerberos(174)
>   Failed to verify incoming ticket!
> 
> This is my smb.conf file (I've removed comments):
> ****Begin File****
> #======================= Global Settings 
> [global]
>    workgroup = w2k3
>    netbios name = file-svr
>    server string = Samba Server
> 
>    log file = /var/log/samba/smbd.log
> 
>    max log size = 50
>    security = ads
>    realm = W2K3.TEST
> 
>    client signing = Yes
>    server signing = Yes
>    client use spnego = Yes
>    use spnego = Yes
> 
>   encrypt passwords = yes
> 
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
>    local master = no
> 
>    dns proxy = no 
> 
> #============================ Share Definitions 
> [homes]
>    comment = Home Directories
>    browseable = no
>    writable = yes
> 
> ****End File****
> 
> This is the krb5.conf (again, comments removed):
> 
> ****Begin File****
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>   default_realm = W2K3.TEST
>   default_tgs_enctypes = des-cbc-crc des-cbc-md5
>   default_tkt_enctypes = des-cbc-crc des-cbc-md5
>   forwardable = true
>   proxiable = true
> 
> [realms]
>  W2K3.TEST = {
>   kdc = test-dc.w2k3.test
>   admin_server = test-dc.w2k3.test
>   default_domain = w2k3.test
>  }
> 
> [domain_realm]
>  .w2k3.test = W2K3.TEST
>  w2k3.test = W2K3.TEST
> 
> ****End File****
> 
> The following packages are installed:
> 
> samba-3.0.4-1
> krb5-libs-1.2.7-14
> krb5-workstation-1.2.7-14
> krb5-devel-1.60-1
> pam_krb5-1.60-1
> 
> The DNS servers are Windows 2000 SP4.
> 
> Thanks for any suggestions. I've set this at maximum points since I
> really need to get it working.
> 
> Mark
> 
> --
> Mark Warbeck
> Systems Engineer
> Engineering Science and Mechanics
> Virginia Tech
> 323A Norris Hall
> Mail Code 0219
> Blacksburg, VA 24061
> 540.231.7489 


More information about the samba mailing list