[Samba] failing to browse unix shares with samba 3.0.2a
jra at samba.org
Wed Mar 31 18:47:31 GMT 2004
On Wed, Mar 31, 2004 at 10:03:45AM -0800, Moshe Shaham wrote:
> We upgraded our Solaris 9 samba server to version 3.0.2a and configured
> Kerberos MIT 1.3.2.
> I was able to run kinit and join samba to our windows 2003 domain as a
> domain member, but when I am trying to browse the samba shares from a
> windows XP machine it is failing. When I am looking at the samba logs this
> is what I am getting:
> [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
> ads_verify_ticket: enc type  failed to decrypt with error Decrypt
> integrity check failed
> [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> Failed to verify incoming ticket!
> [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94)
> error string = No such file or directory
> [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118)
> error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
> I was trying to run smbclient -k '\\machine\share' and it failed. After
> initiating the kinit command I was then able to run the smbclient -k
> command. Accessing the shares from a windows box is still failing.
Your enctypes are incorrect. This is confirmed by the fact that smbclient -k
works (the enctype requested by kinit is compatible with the enctypes checked
for by smbd - they're using the same krb5.conf) and the Windows clients don't.
The enctype the Windows client is getting is type 23 - rc4-hmac.
Once you've got a ticket with kinit, use klist -e to display the enctypes
you have. I'm guessing the enctype kinit is getting isn't the same.
You can try setting :
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
in your krb5.conf file.
And go buy the O'Reilly book on Kerberos and read it :-).
More information about the samba