[Samba] Failed to verify incoming ticket

Olivier Mehani olivier.mehani at linbox.com
Thu Oct 28 12:52:47 GMT 2004 

On Fri Jul 30 17:10:45 2004
nuno.silva at novabase.pt (Nuno Silva) wrote:

> > I'm trying to get Samba 3.0.2 working against a Windows 2003 Active
> > Directory. I can join the Linux box (RedHat Advanced Server) to the
> > domain using "net ads join" and it appears in the Windows machine's
> > Users and Computers snap in but when trying to map a drive from
> > Windows you just get a continuous password dialog bog and on the
> > Linux box Samba produces the following error in the Samba log:
> > 
> > Smbd/sesssetup.c:reply_spnego_kerberos(173)
> >   Failed to verify incoming ticket!
> 
> This is probably a problem with your kerberos version.

I have been having the very same problem and managed to solve this. I'm
posting an answer to this question so that others can find this if
needed. (I'm not subscribed to the list, so please CC follow-ups if
needed).

The problem is, as you said, with the Kerberos version, I first used
MIT's implementation of Kerberos. Samba clients could correctly access
my Samba server (and I could see the KRB requests going to and from the
Win2k AD server) but as soon as I tried and did the same with a
Windows-based client, nothing worked, the Windows box kept asking for a
valid user/pass whereas the given ones were correct, and I got the same
"failed tickets" entries in my smbd logs.

I solved the problem compiling samba (3.0.7) against Heimdal Kerberos
insted of MIT.

As far as I understand the problem, this is due to MIT not supporting
the kind of encryption the Windows client is using to get the
tickets (this explains the problem not occuring with Samba clients).

Here is my smb.conf, in case it's needed:
-----
password server = ADVSERV
security = ADS
realm = EXAMPLE.COM
encrypt passwords = yes
client use spnego = no
username map = /usr/local/samba-ads/lib/username_map
workgroup=EXAMPLE
auth methods = winbind
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000

[tmp]
        path = /tmp
        browsable = yes
        writeable = yes
        preserve case = yes

[homes]
	comment = Home Directories
	valid users = %S
	force user = %S
	writable = yes
	guest ok = no
	browseable = no
-----

And (roughly) the process I followed to register the machine was:
# kinit Administrator at EXAMPLE.COM
Administrator at EXAMPLE.COM's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: ADuser at EXAMPLE.COM
    Cache version: 4

Server: krbtgt/EXAMPLE.COM at EXAMPLE.COM
Ticket etype: arcfour-hmac-md5
Auth time:  Oct 28 14:38:00 2004
End time:   Oct 29 00:38:00 2004
Renew till: Nov  4 13:38:00 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:172.20.0.133

# net ads join
Using short domain name -- EXAMPLE
Joined 'FOO' to realm 'EXAMPLE.COM'
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: ADuser at EXAMPLE.COM
    Cache version: 4

Server: krbtgt/EXAMPLE.COM at EXAMPLE.COM
Ticket etype: arcfour-hmac-md5
Auth time:  Oct 28 14:38:00 2004
End time:   Oct 29 00:38:00 2004
Renew till: Nov  4 13:38:00 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:172.20.0.133

Server: advserv$@EXAMPLE.COM
Ticket etype: arcfour-hmac-md5
Auth time:  Oct 28 14:38:00 2004
Start time: Oct 28 14:40:10 2004
End time:   Oct 29 00:38:00 2004
Ticket flags: pre-authenticated, ok-as-delegate
Addresses: IPv4:172.20.0.133

Server: kadmin/changepw at EXAMPLE.COM
Ticket etype: arcfour-hmac-md5
Auth time:  Oct 28 14:38:00 2004
Start time: Oct 28 14:40:10 2004
End time:   Oct 29 00:38:00 2004
Ticket flags: pre-authenticated
Addresses: IPv4:172.20.0.133

At this point, I could have Windows-using users connect to the Samba
server, and mapped to Unix users thanks to the username map.

-- 
Olivier Mehani <olivier.mehani at linbox.com>
Free&ALter Soft/Linbox - Paris
http://www.linbox.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20041028/12e96e28/attachment.bin

More information about the samba mailing list