[Samba] -failed to verify ticket-, smb-3.0.7, mit krb5 1.3.1

samba at fredsnet.org samba at fredsnet.org
Mon Oct 25 21:48:13 GMT 2004 

Hi everyone,

I've done a lot of reading on this issue over the last couple of days
I had a "Red Hat Linux release 9 (Shrike)" box running 3.0.3a and the
stock redhat krb5 package and it was authenticating against a w2k AD
domain (over which I have very little control save for my little OU).

things were working ok, but I wanted to update it to the new bug fixed
versions.

!!!!important!!!
my AD environment was upgraded from w2k to w2k3 in the past 4 months.
!!!!!!!!!

I uninstalled samba and krb, then compiled from sources samba 3.0.7 and
mit kerberos 1.3.5 had the issues desctibed below. I uninstalled them
both. cleaned out the cache files, the tdb's etc.

I installed the package from samba's ftp site, and the krb5 package that
Jerry has in his ftp space.

here's what I found....

I was able to join the domain, do all the wbinfo's do all the getent's do
all the net ads *** and return valid data from the ADS.

I am able to see the share from my "w2k pro sp4" box by using the samba
server's fqdn, or ip address.  if I don't use the fqdn or IP, I get the
"failed to verify incoming ticket" in the log.

now the interesting (I think) part.  I can access the share from an XP pro
box using the netbios name.  where as with a fully patched 2kpro box, I
have to use the fqdn or IP.

Any thoughts???

here are my config files  also check out the little snippets of log files
there
I get a different logfile name from my win2k box if I use the ip than I do
if I use the netbios name of the server.

#############smb.conf#################
# Global parameters
[global]
        workgroup = US
        realm = US.RAY.COM
        server string = Samba 3.02a Server
        interfaces = eth0
        security = ADS
        auth methods = winbind
        password server = eadc-gc101.us.ray.com
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        os level = 5
        preferred master = No
        local master = No
        domain master = No
        browse list = No
        enhanced browsing = No
        dns proxy = No
        wins server = 138.127.100.204
        ldap ssl = no
        socket address =
        idmap uid = 70000-200000
        idmap gid = 70000-200000
        winbind separator = +
        valid users = @"us+adc-rfc users",us+dussaulta
        admin users = @"us+adc-it admin"
        read list = @"us+adc-rfc users"
        write list =@"us+adc-site support"
        hosts allow = 138.127.100.0/255.255.252.0
        map acl inherit = Yes

[prod]
        comment = Production Elements
        path = /data/share/prod
        write list = @"us+adc-site support", @"us+adc-fab rf test"
        read only = No
#########################################################
 krb5.conf
[libdefaults]
dns_fallback = true

##############################################
log.winbindd
2004/10/25 16:52:18, 1] nsswitch/winbindd.c:main(854)
  winbindd version 3.0.7 started.
  Copyright The Samba Team 2000-2004
[2004/10/25 16:52:18, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/10/25 17:04:47, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/10/25 17:30:13, 1] nsswitch/winbindd.c:main(854)
  winbindd version 3.0.7 started.
  Copyright The Samba Team 2000-2004
[2004/10/25 17:30:14, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No credentials cache found)
#################################################

If I connect using the fqdn I get this
log.adc020601-069    <my machine's netbios name   (w2kpro sp4 patched.)

(-------------snip--------------------)
[2004/10/25 16:54:17, 1] smbd/service.c:make_connection_snum(648)
  adc020601-069 (138.127.101.159) connect to service prod initially as
user US+dussaulta (uid=0, gid=71750) (pid 16977)
[2004/10/25 16:55:28, 1] smbd/service.c:close_cnum(837)
  adc020601-069 (138.127.101.159) closed connection to service prod
[root at eadc-fs004 samba]# more log.adc020601-069
[2004/10/25 16:54:17, 1] smbd/service.c:make_connection_snum(648)
  adc020601-069 (138.127.101.159) connect to service prod initially as
user US+dussaulta (uid=0, gid=71750) (pid 16977)
[2004/10/25 16:55:28, 1] smbd/service.c:close_cnum(837)
  adc020601-069 (138.127.101.159) closed connection to service prod

(--------------------snip----------------------)
########################################################
if I try to connect using the server's netbios name I get this

log.138.127.101.159                 my win2kpro sp4 box patched
(--------------snip-------------)
2004/10/25 17:30:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/10/25 17:30:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/10/25 17:30:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/10/25 17:30:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/10/25 17:30:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
(-----------------snip---------------)
#############################################

More information about the samba mailing list