[Samba] Kerberos authentication problems

David Nalley davidnalley at BryanRamey.com
Wed Mar 24 22:13:54 GMT 2004 

I appear to be having a problem with samba using kerberos to
authenticate to a win2k pdc. 

Background: Windows 2kSP4 PDC. WhiteBox Enterprise Linux 3 running
2.4.21-4.ELsmp on x86. 
samba 3.0.2-6.3E.i386 from the distribution's rpm.  
krb5-1.3.1

I can successfully use "net ads join" and see the computer appear in
Active Directory. 
I can use kinit to authenticate via kerberos, and can browse windows
shares via smbclient -k. 

When I try and connect from a windows machine, I am continuously
prompted for authentication, which never succeeds. 
my samba log reveals the following: 
[2004/03/24 11:43:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

when trying smbclient from another linux machine:
[root at TAROON root]# smbclient //liberation/public -k
session setup failed: NT_STATUS_LOGON_FAILURE

which yields the following in my logs:
[2004/03/24 16:46:06, 1] libads/kerberos_verify.c:ads_verify_ticket(203)
  ads_verify_ticket: failed to fetch machine password
[2004/03/24 16:46:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

[root at TAROON root]# smbclient //liberation/public -Udomainuser%pass
session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

which places the following in the logs: 
[2004/03/24 16:59:32, 1] libads/kerberos_verify.c:ads_verify_ticket(203)
  ads_verify_ticket: failed to fetch machine password
[2004/03/24 16:59:32, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

Anonymous login (temporary enabled for testing) appears to work
flawlessly:
[root at TAROON root]# smbclient //liberation/public -N
Anonymous login successful
smb: \> ls
  .                                   D        0  Wed Mar 24 15:41:28
2004
  ..                                  D        0  Mon Feb 23 15:50:16
2004
  krb5cc_0                                  4573  Wed Mar 24 15:41:36
2004
  .X11-unix                          DH        0  Fri Mar 19 12:15:35
2004
  .winbindd                          DH        0  Wed Mar 24 16:19:38
2004

                60069 blocks of size 262144. 47176 blocks available
smb: \>


Needless to say I am perplexed. I have searched google, newsgroups, and
the list archives, and while I have seen references to this problem
before, no firm solutions, at least none that have worked for me. I have
also gone through the trouble shooting guide, and can complete all of
the tests that I can do anonymously, but fail all of the ones that
require authentication. 

Anyone care to point out where I have gone wrong. 
P.S. I also tried compiling samba from source, but the outcome was no
different. 

Thanks,

David Nalley

More information about the samba mailing list