[Samba] Samba kerberos authentication issues with samba 3.0.7

Al Al al_al_al at mail.com
Wed Oct 27 07:21:19 GMT 2004 

Hello.

I'm having difficulty running kerberized samba on my Linux box in my Windows ADS domain.  Specifically, smbclient -k //server/share fails with a "session setup failed: NT_STATUS_LOGON_FAILURE" error message.  I ran smbd with -d 3 debugging verbosity, and the following came out on stdout/stderr.  I marked the interesting lines with ***'s:

# smbd -i -d 3
get_current_groups: user is in 16 groups: 0, 1, 2, 3, 4, 6, 10, 12, 7, 4, 9, 6, 5, 3, 2, 8
smbd version 3.0.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
uid=0 gid=0 euid=0 egid=0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[al]"
adding IPC service
adding IPC service
added interface ip=10.50.195.251 bcast=10.50.199.255 nmask=255.255.248.0
loaded services
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
start_background_queue: Starting background LPQ thread
waiting for a connection
open_oplock_ipc: opening loopback UDP socket.
Linux kernel oplocks enabled
open_oplock ipc: pid = 7353, global_oplock_port = 32836
Transaction 0 of length 183
switch message SMBnegprot (pid 7353) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [MICROSOFT NETWORKS 1.03]
Requested protocol [MICROSOFT NETWORKS 3.0]
Requested protocol [LANMAN1.0]
Requested protocol [LM1.2X002]
Requested protocol [DOS LANMAN2.1]
Requested protocol [Samba]
using SPNEGO
Selected protocol NT LANMAN 1.0
Transaction 1 of length 2054
switch message SMBsesssetupX (pid 7353) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc801
Doing spnego session setup
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
Got OID 1 2 840 48018 1 2 2
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 1914
*** ads_keytab_verify_ticket: krb5_kt_next_entry failed (Bad encryption type)
*** ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed
*** ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)
*** Failed to verify incoming ticket!
*** error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
timeout_processing: End of file from client (client has disconnected).
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to 
Server exit (normal exit)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to 
yield_connection: tdb_delete for name  failed with error Record does not exist.





In case it will provide any hints, I will also provide the ticket cache on the machine running smbclient and the keytab contents on the machine with the share:

[lnx251 samba]# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/lnx251.company.com at NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   3 host/lnx251.company.com at NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   3 host/lnx251.company.com at NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 
   3 host/lnx251.company.com at NA.COMPANY.COM (ArcFour with HMAC/md5) 
   3 host/lnx251.company.com at NA.COMPANY.COM (DES cbc mode with CRC-32) 
   3 host/lnx251.company.com at NA.COMPANY.COM (DES cbc mode with RSA-MD5) 
   3 host/lnx251.company.com at NA.COMPANY.COM (DES cbc mode with RSA-MD4) 
   3 cifs/lnx251.company.com at NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   3 cifs/lnx251.company.com at NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   3 cifs/lnx251.company.com at NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 
   3 cifs/lnx251.company.com at NA.COMPANY.COM (ArcFour with HMAC/md5) 
   3 cifs/lnx251.company.com at NA.COMPANY.COM (DES cbc mode with CRC-32) 
   3 cifs/lnx251.company.com at NA.COMPANY.COM (DES cbc mode with RSA-MD5) 
   3 cifs/lnx251.company.com at NA.COMPANY.COM (DES cbc mode with RSA-MD4) 
   3 host/lnx251 at NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   3 host/lnx251 at NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   3 host/lnx251 at NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 
   3 host/lnx251 at NA.COMPANY.COM (ArcFour with HMAC/md5) 
   3 host/lnx251 at NA.COMPANY.COM (DES cbc mode with CRC-32) 
   3 host/lnx251 at NA.COMPANY.COM (DES cbc mode with RSA-MD5) 
   3 host/lnx251 at NA.COMPANY.COM (DES cbc mode with RSA-MD4) 
   3 cifs/lnx251 at NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   3 cifs/lnx251 at NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   3 cifs/lnx251 at NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 
   3 cifs/lnx251 at NA.COMPANY.COM (ArcFour with HMAC/md5) 
   3 cifs/lnx251 at NA.COMPANY.COM (DES cbc mode with CRC-32) 
   3 cifs/lnx251 at NA.COMPANY.COM (DES cbc mode with RSA-MD5) 
   3 cifs/lnx251 at NA.COMPANY.COM (DES cbc mode with RSA-MD4) 

------------------------------------------------------------

al at lnx135.company.com/home/al> klist -e
Ticket cache: FILE:/tmp/krb5cc_6568_dIutT5
Default principal: al at NA.COMPANY.COM

Valid starting     Expires            Service principal
10/26/04 23:18:14  10/27/04 09:18:14  krbtgt/NA.COMPANY.COM at NA.COMPANY.COM
        renew until 10/27/04 00:18:14, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
10/26/04 23:18:26  10/27/04 00:18:26  lnx251$@NA.COMPANY.COM
        renew until 10/27/04 00:18:14, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 


Kerberos 4 ticket cache: /tmp/tkt6568
klist: You have no tickets cached


-----------------------------------------


Finally, a few notes about my setup:

o Linux boxen are NOT in DNS, but in hosts files/maps... FQDN first, then short hostnames
o The machine with the share is a member of the domain, thanks to net ads join... I had to use Microsoft's setspn.exe to add service principal names, though, because when the machine joined the domain, the SPN's were host/lnx251.na.company.com instead of host/lnx251.company.com, etc.  Afterwards, the keytab was populated with 'net ads keytab'.
o samba-3.0.7
o krb5-workstation-1.3.4
o RedHat Enterprise Linux Workstation 3.0 on both machines
o Windows Server 2003 as the ADS server



If anyone has any suggestions or ideas that could help me, I would truly appreciate it.

Also, if there's anything else I should provide, let me know.


Thank you very much,
Al


-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

More information about the samba mailing list