[Samba] samba 3.0.2a & Win2003 AD controler

Christian HAESSIG christian.haessig at ircad.u-strasbg.fr
Tue May 4 07:07:35 GMT 2004 

Hello samba experts !

I have a big problem with my samba 3.0.2a on debian. I use winbindd, which
seems to work (getent passwd/group and wbinfo -u works), and the net ads
join worked too, but the authentication with the AD controler, hosted on
Win2003 Server, fails.

Sample of the level 3 log file :

...
[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685)
  switch message SMBsesssetupX (pid 1210)
[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
  wct=12 flg2=0xc807
[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
  Doing spnego session setup
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 2 840 48018 1 2 2
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 2 840 113554 1 2 2
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
  Got secblob of size 1263
[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
...

So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a
technet article talking from a krb problem on win2003, and registry
modifications to apply. I did so, but nothing changed.

Another point : I did a tcpdump between the samba server and the 2003
server. When I do a kinit, there is communication between the servers. But
when I try to connect to the samba server from a W2K client, there is no
communication between the samba and the W2K server !

So, do you have an explanation ?

Here is my krb5.conf file :

[logging]
  default = FILE:/var/log/krb5/libs.log
  kdc = FILE:/var/log/krb5/kdc.log
  admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
  ticket_lifetime = 24000
  default_realm = IRCADSTAGE.FR

[realms]
  IRCADSTAGE.FR = {
    kdc = stageadmin11.ircadstage.fr:88
    default_domain = ircadstage.fr
  }

[domain_realm]
   .ircadstage.fr = IRCADSTAGE.FR
   ircadstage.fr = IRCADSTAGE.FR

Thanks !

Christian Haessig
Software engineer/Administrator
IRCAD/EITS
Phone : +33. (0)3.88.11.90.76
Fax   : +33. (0)3.88.11.90.99
mailto:christian.haessig at ircad.u-strasbg.fr

More information about the samba mailing list