[Samba] Samba samba-3.0.11 Upgrade Problems

Mark Irving marki at cumcmemphis.org
Tue Feb 8 17:11:34 GMT 2005 

I recently upgraded a backup fileserver used for testing purposes from
samba-3.0.10 to the current samba-3.0.11 using the FreeBSD portupgrade.
The fileserver is setup in a W2K AD. The fileserver uses Winbind to get
AD accounts and shares are created on the Samba server. Worked fine
until the upgrade. 
 
Here is a copy of the current smb.conf 
[global]
        unix charset = LOCALE
        workgroup = DOMAIN
        realm = DOMAIN.COM
        server string = Backup Server
        security = ADS
        hosts allow = IP Address. 127.
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = 5
        syslog = 0
        ldap ssl = no
        enable privileges = no # added this to test with new samba
version. I have tried it with set to yes or left out. Same results.
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template primary group = "DOMAIN\Domain Users"
        template shell = /usr/local/bin/bash
        winbind use default domain = yes
        interfaces = IP Address/24
        local master = no
        domain master = no
        preferred master = no
        admin users = "DOMAIN\Administrator"
        valid users = "DOMAIN\Domain Users"
        dos filemode = yes
[homes]
        comment = Home Directories
        valid users = %S
        read only = no
        browseable = no
[www]
        comment = web directories
        path = /home/username
        read only = no
        browseable = yes
        force user = username
 
When I try to connect to the share www from a Windows machine in the
domain, I get a standard can't connect error. When I try connecting by
computer name \\COMPUTER , I am prompted for a username and password,
none of which works.
 
After turning on full logging, I receive the following errors in:
Computer trying to connect logfile:
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
  ads_secrets_verify_ticket: enc type [16] failed to decrypt with error
Message size is incompatible with encryption type
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
  ads_secrets_verify_ticket: enc type [5] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
  ads_secrets_verify_ticket: enc type [2] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3] libads/kerberos_verify.c:ads_verify_ticket(313)
  ads_verify_ticket: krb5_rd_req with auth failed (Unknown error: 0)
[2005/02/08 08:28:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2005/02/08 08:28:21, 3] smbd/error.c:error_packet(105)
  error string = Invalid argument
[2005/02/08 08:28:21, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
 
Winbind Logfile:
[2005/02/08 08:33:32, 5] nsswitch/winbindd_ads.c:trusted_domains(842)
  trusted_domains: Could not open a connection to DOMAIN for
PIPE_NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)

Smbd Logfile:
No listed errors.
 
I can:
-kinit administrator at DOMAIN.COM obtain a ticket
-klist view ticket details
-wbinfo -u enumerate users
-wbinfo -g enumerate groups
-wbinfo -r username get user groups
-net ads leave 
-net ads join -U administrator
 
All of the above give no errors at all.
 
System specs:
FreeBSD 5.2.1-RELEASE #0: 
heimdal-0.6.3_2 (configured with LDAP)
samba-3.0.11,1  (configured with LDAP, ADS, WINBIND, ACL_SUPPORT and
UTMP)
openldap-client-2.2.23 
 
If I try to chown on the Samba Server chown administrator or chown
DOMAIN\administrator or if I try to chgrp a domain group, I get an
invalid argument error, which is usually given when winbind is having
problems. I could do this previously before the upgrade. When I do that
the winbind log has the following errors:
 

[2005/02/08 11:03:01, 5] nsswitch/winbindd_ads.c:trusted_domains(842)
  trusted_domains: Could not open a connection to DOMAIN for
PIPE_NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/02/08 11:03:05, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [49820]: request interface version
[2005/02/08 11:03:05, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [49820]: request location of privileged pipe
[2005/02/08 11:03:05, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 20, pid 49820: EOF
[2005/02/08 11:03:05, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)
  [49820]: getpwnam administrator
[2005/02/08 11:03:05, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
  user 'administrator' does not exist
[2005/02/08 11:03:05, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 21, pid 49820: EOF
 
For the sake of argument, I tried this on another machine that was
similarly configured. After the upgrade, the result was the same as the
above. 
 
So is there are bug in the latest release or does it have to do with
some of the new features in samba-3.0.11?
 
Any help would be appreciated.
 
Thanks,
Mark Irving

More information about the samba mailing list