[Samba] Re: BUG 1717 [was Re: Re: Samba 3.0.6 Problems w/AD and
Kerberos]
Josh T
mortonjt at rochester.rr.com
Mon Sep 13 14:01:50 GMT 2004
Gerald (Jerry) Carter wrote:
> Josh T wrote:
> |
> | I then downloaded and compiled Samba 3.0.5 and
> | set it up. It was working last night, however
> | this morning I started having the same problems...
>
> Are the clocks drifting out of sync perhaps ? Can
> you send me a level 10 debug log of the complete
> failure? Please also include your /etc/krb5.conf
> and smb.conf file. Thanks.
>
Unfortunately, since it was a VMWare test machine, I have already
reverted back to the clean install. I then used the 3.0.5 debian
packages & Debian 1.2.4 MIT kerberos rather than locally compiling
anything and its been working fine, so maybe I did something wrong or
missed something when I downgraded the 3.0.6 to 3.0.5.
Anyway, I just upgraded the test machine via Debian packages to 3.0.6
and it definately breaks - log and config files follow. Let me know if
there's anything I can do to help figure this out. (Jerry - I can
privately mail you full logs, etc. if you still want them - corporate
policy makes me cautious in posting anything with real names/ip
addresses/etc.)
Josh
(snippet from log level = 10 log.ipaddress of a Windows 2000 SP 4 client)
[2004/09/13 09:00:21, 10] lib/util.c:name_to_fqdn(2501)
name_to_fqdn: lookup for VIRTUALSMB -> VIRTUALSMB.mydomain.local.
[2004/09/13 09:00:21, 10] passdb/secrets.c:secrets_named_mutex(701)
secrets_named_mutex: got mutex for replay cache mutex
[2004/09/13 09:00:21, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [16] failed to decrypt with error
Bad encryption type
[2004/09/13 09:00:21, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Bad encryption type
[2004/09/13 09:00:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
Decrypt integrity check failed
[2004/09/13 09:00:21, 10] passdb/secrets.c:secrets_named_mutex_release(713)
secrets_named_mutex: released mutex for replay cache mutex
[2004/09/13 09:00:21, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2004/09/13 09:00:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/09/13 09:00:21, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
### Here is the result of "klist tickets" on the W2K client:
Server: krbtgt/MYDOMAIN.LOCAL at MYDOMAIN.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 9/13/2004 17:24:18
Renew Time: 9/13/2004 10:24:18
Server: HOST/virtualsmb at MYDOMAIN.LOCAL
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 9/13/2004 10:24:18
Renew Time: 9/13/2004 10:24:18
#### Here is /etc/samba/smb.conf:
[global]
workgroup = MYDOMAIN
netbios name = VIRTUALSMB
security = ADS
realm = MYDOMAIN.LOCAL
encrypt passwords = true
password server = DC1.MYDOMAIN.LOCAL
hosts allow = 192.168.1. 127.
log file = /var/log/samba/log.%m
log level = 3
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
[data]
comment = Data Files
path = /data
read only = no
admin users = "@Domain Admins"
### Here is /etc/krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
MORTONSS109.LOCAL = {
kdc = DC1.MYDOMAIN.LOCAL
kdc = DC2.MYDOMAIN.LOCAL
admin_server = DC1.MYDOMAIN.LOCAL
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
kdc = kerberos-3.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CYGNUS.COM = {
kdc = KERBEROS.CYGNUS.COM
kdc = KERBEROS-1.CYGNUS.COM
admin_server = KERBEROS.CYGNUS.COM
}
GREY17.ORG = {
kdc = kerberos.grey17.org
admin_server = kerberos.grey17.org
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
[login]
krb4_convert = true
krb4_get_tickets = true
More information about the samba
mailing list