[Samba] 3.0.2 works with kerberos 1.2.7 for a while, then stops

[Alan Munter]

I installed RH9 and the RH9 binary rpm of samba-3.0.2a from the ftp
site.  I added default_realm, kdc, and [domain_realm] sections to my
krb5.conf file because for some reason it can't get them from DNS
(haven't worked that out yet) and with a small edit of smb.conf was able
to join the new samba install to our 2k3 active directory.  wbinfo -t
and kinit and stuff all worked as did getent password.  

Then I used swat to make a share and set valid users = '@MYDOMAIN\Domain
Users' and browsed to it from a Windows XP machine which was a member of
the domain.  I made a folder in the share, verified that it had the
correct UID/GID mapping.  All was good.

Then all of a sudden it stopped working.  Now I am getting log entries
like:

[2004/03/18 15:57:57, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/03/18 15:57:57, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
  Doing spnego session setup
[2004/03/18 15:57:57, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
  NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 2 840 48018 1 2 2
[2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 2 840 113554 1 2 2
[2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
  Got secblob of size 1211
[2004/03/18 15:57:57, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/03/18 15:57:57, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/03/18 15:57:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/03/18 15:57:57, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2004/03/18 15:57:57, 3] smbd/error.c:error_packet(118)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

I know.  Folks will say that I need to upgrade MIT kerberos to 1.3.1,
which I will do, however I am curious about why it used to work and then
just stopped working.  I was messing around with swat at the time, but I
did not change any of the global settings, only shares.

Any ideas?

Alan
-- 
Alan E. Munter                         NIST Center for Neutron Research
Physical Scientist                     100 Bureau Dr., Stop 8562
alan.munter at nist.gov                   Gaithersburg, MD 20899-8562
http://www.ncnr.nist.gov/              (301)975-6244