[Samba] Failed to verify ticket ?

Aden, Steve saden at itscommunications.com
Wed May 12 14:39:11 GMT 2004


I have found that putting the port numbers after the server names seems to make things work better.

Example:

[realms]
  TESTLAB.LOCAL = {
  kdc = ADS.TESTLAB.LOCAL:88
  admin_server = ADS.TESTLAB.LOCAL:749
  default_domain = TESTLAB.LOCAL
  }

[domain_realms]
  .testlab.local = TESTLAB.LOCAL
  testlab.local = TESTLAB.LOCAL

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

Good Luck,
Steve Aden


Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

-----Original Message-----
From: Yohann Ferreira [mailto:bertram25 at hotmail.com] 
Sent: Wednesday, May 12, 2004 10:17 AM
To: samba at lists.samba.org
Subject: [Samba] Failed to verify ticket ?


Hi !

My problem is that :
[2004/05/12 16:07:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/05/12 16:07:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/05/12 16:07:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/05/12 16:07:59, 0] lib/util_sock.c:read_socket_data(342)
  read_socket_data: recv failure for 4. Error = Connection reset by peer
[2004/05/12 16:07:59, 1] smbd/service.c:close_cnum(887)
  saisie-srag (10.143.31.100) closed connection to service tmp

A w2k client can't log on my samba server.

Here's my krb5.conf :

[logging]
	default = FILE:/var/log/kerberos/krb5libs.log
	kdc = FILE:/var/log/kerberos/krb5kdc.log
	admin_server = FILE:/var/log/kerberos/kadmind.log

[libdefaults]
	ticket_lifetime = 24000
	default_realm = DRAF.FC
	default_tgs_enctypes = des-cbc-crc des-cbc-md5
	default_tkt_enctypes = des-cbc-crc des-cbc-md5
	permitted_enctypes = des-cbc-crc des-cbc-md5

#default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
#default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
#permitted_enctypes = des3-hmac-sha1 des-cbc-crc

	dns_lookup_realm = false
	dns_lookup_kdc = false
	kdc_req_checksum_type = 2
	checksum_type = 2
	ccache_type = 1
	forwardable = true
	proxiable = true

[realms]
	DRAF.FC = {
	kdc = draffc3.draf.fc
	default_domain = DRAFFCOMTE
}

[domain_realm]
	.draf.fc = DRAF.FC

[kdc]
	profile = /etc/kerberos/krb5kdc/kdc.conf

[pam]
	debug = false
	ticket_lifetime = 36000
	renew_lifetime = 36000
	forwardable = true
	krb4_convert = false

[appdefaults]
	pam = {
	debug = true
	ticket_lifetime = 36000
	renew_lifetime = 36000
	forwardable = true
	krb4_convert = true
	afs_cells = draffc3.draf.fc
	hosts = draffc3.draf.fc
	max_timeout = 30
	timeout_shift = 2
	initial_timeout = 1
	}

[login]
	krb4_convert = false
	krb4_get_tickets = false

Any idea about my misconfiguration in Kerberos, everyone ?

Please, just answer me for that and I'll let you breath !

Thanks for reading

Bertram

_________________________________________________________________
Trouvez l'âme soeur sur MSN Rencontres http://g.msn.fr/FR1000/9551

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


_____________________________________________________
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BG0a047a5d.00000001.mml


More information about the samba mailing list