[Samba] samba 3.0.2a domain member in Windows 2003 domain and MIT 1.3.2

Moshe Shaham Moshe at netscreen.com
Tue Mar 30 21:46:04 GMT 2004 

We recently switched our win2k domain to a native mode. We upgraded our
Solaris 9 samba server from 2.2.8 to version 3.0.2a and configured MIT
Kerberos version 1.3.2
I was able to join to machine as a domain member without any problems:
./net ads join -U moshe
moshe password: 

[2004/03/30 13:26:46, 0] libads/ldap.c:ads_add_machine_acct(1006)
  Host account for shark already exists - modifying old account
Using short domain name -- MYCOMPANY
Joined 'SHARK' to realm 'CORP.MYCOMPANY.COM'  

kinit and klist also work without any problems.

When I am trying to browse the samba shares from Win/XP machine I am getting
the following in the samba log:
[2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

This is my krb5.conf:
[libdefaults]
        default_keytab_name = /etc/krb5.keytab
        default_realm = CORP.MYCOMPANY.COM
        dns_lookup_kdc = false
        dns_lookup_realm = false

[realms]
        CORP.MYCOMPANY.COM = {
                kdc = corpdc.corp.mycompany.com
                default_domain = corp.mycompany.com
        }

[domain_realm]
        .corp.mycompany.com = CORP.MYCOMPANY.COM
        corp.mycompany.com = CORP.MYCOMPANY.COM
[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }

This is my smb.conf:
netbios name = shark
        workgroup = MYCOMPANY
        realm = CORP.MYCOMPANY.COM
        server string = Samba Server
        log file = /opt/samba3.0/var/log.%m
        log level = 5
        max log size = 50
        security = ads
        local master = no
        os level = 0
        domain master = no
        preferred master = no
        wins support = no
        wins server = 10.70.130.2, 10.80.20.4
        dns proxy = no
        password server = corpdc.corp.mycompany.com  
        encrypt passwords = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind separator = +

I searched this list and I found similar posting but no answer. Can someone
please help?

Thanks,
Moshe

More information about the samba mailing list