[Samba] Message size is incompatible with encryption type

Toll, Eric etoll at vipstructures.com
Fri Oct 28 20:00:28 GMT 2005


Hello all, I have a nice dual Opteron server with a lot of
disk space I'd like to let Windows ADS groups use. I am
running FreeBSD (AMD64) 5.4-RELEASE-p1 with samba-3.0.20,1 

I joined the ADS domain. Smbclient works perfectly.
Server shows up in "My Network Places" When I click on it, I
get a login box and no credentials will authenticate me.

Read some of the samba docs, and found it amusing that many
times the scenario of departments/personnel/politics etc
were explained before a config was given. (See my first
sentence!)

The only other piece to the puzzle is how do I grant rights
to the UNIX/Samba shares??  E.g.  Want the ADS group
"Archives" to have read only access to the Archives, but ADS
Domain admins can have read/write to samba share Archives.


I looked around on the net and I'm not sure what is wrong.
Thanks much list!

Eric



Smb.conf:
[global]
        workgroup = WORKGROUP
        realm = DOMAIN.COM
        server string = 64bit FreeBSD Samba Box
        security = ADS
        auth methods = winbind
        password server = 192.168.x.x
        passdb backend = tdbsam
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = 192.168.X.X
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 20000-30000
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        invalid users = root
        acl group control = Yes
        inherit permissions = Yes
        inherit acls = Yes
        hosts allow = 192.168.X., 127.
        hosts deny = ALL

[Archives]
        comment = Archives
        path = /usr/Archives
        read only = Yes
        guest ok = Yes




/var/log/samba/workstation-Log (all happened in less than a
second)

2005/10/28 15:20:06, 3] smbd/oplock.c:init_oplocks(1380)
  open_oplock_ipc: opening loopback UDP socket.
[2005/10/28 15:20:06, 3] smbd/oplock.c:init_oplocks(1380)
  open_oplock_ipc: opening loopback UDP socket.
[2005/10/28 15:20:06, 3] smbd/oplock.c:init_oplocks(1411)
  open_oplock ipc: pid = 98079, global_oplock_port = 57632
[2005/10/28 15:20:06, 3] smbd/oplock.c:init_oplocks(1411)
  open_oplock ipc: pid = 98080, global_oplock_port = 58261
[2005/10/28 15:20:06, 3] lib/access.c:check_access(313)
  check_access: no hostnames in host allow/deny list.
[2005/10/28 15:20:06, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.X.X)
[2005/10/28 15:20:06, 3] smbd/process.c:process_smb(1114)
  Transaction 0 of length 72
[2005/10/28 15:20:06, 3] lib/access.c:check_access(313)
  check_access: no hostnames in host allow/deny list.
[2005/10/28 15:20:06, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.X.X)
[2005/10/28 15:20:06, 3] smbd/process.c:process_smb(1114)
  Transaction 0 of length 137
[2005/10/28 15:20:06, 2] smbd/reply.c:reply_special(448)
  netbios connect: name1=RODAN
name2=ERIC-AMD-4200X2
[2005/10/28 15:20:06, 2] smbd/reply.c:reply_special(455)
  netbios connect: local=rodan remote=eric-amd-4200x2, name
type = 0
[2005/10/28 15:20:06, 3] smbd/process.c:switch_message(900)
  switch message SMBnegprot (pid 98080) conn 0x0
[2005/10/28 15:20:06, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/10/28 15:20:06, 3] smbd/negprot.c:reply_negprot(466)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2005/10/28 15:20:06, 3] smbd/negprot.c:reply_negprot(466)
  Requested protocol [LANMAN1.0]
[2005/10/28 15:20:06, 3] smbd/negprot.c:reply_negprot(466)
  Requested protocol [Windows for Workgroups 3.1a]
[2005/10/28 15:20:06, 3] smbd/negprot.c:reply_negprot(466)
  Requested protocol [LM1.2X002]
[2005/10/28 15:20:06, 3] smbd/negprot.c:reply_negprot(466)
  Requested protocol [LANMAN2.1]
[2005/10/28 15:20:06, 3] smbd/negprot.c:reply_negprot(466)
  Requested protocol [NT LM 0.12]
[2005/10/28 15:20:06, 3] smbd/negprot.c:reply_nt1(337)
  using SPNEGO
[2005/10/28 15:20:06, 3] smbd/negprot.c:reply_negprot(559)
  Selected protocol NT LM 0.12
[2005/10/28 15:20:06, 3] smbd/process.c:process_smb(1114)
  Transaction 1 of length 1572
[2005/10/28 15:20:06, 3] smbd/process.c:switch_message(900)
  switch message SMBsesssetupX (pid 98080) conn 0x0
[2005/10/28 15:20:06, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/10/28 15:20:06, 3]
smbd/sesssetup.c:reply_sesssetup_and_X(751)
  wct=12 flg2=0xc807
[2005/10/28 15:20:06, 2]
smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we
would close all old resources.
[2005/10/28 15:20:06, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(588)
  Doing spnego session setup
[2005/10/28 15:20:06, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(619)
  NativeOS=[Windows 2002 Service Pack 2 2600]
NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2005/10/28 15:20:06, 3]
smbd/sesssetup.c:reply_spnego_negotiate(480)
  Got OID 1 2 840 48018 1 2 2
[2005/10/28 15:20:06, 3]
smbd/sesssetup.c:reply_spnego_negotiate(480)
  Got OID 1 2 840 113554 1 2 2
[2005/10/28 15:20:06, 3]
smbd/sesssetup.c:reply_spnego_negotiate(480)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2005/10/28 15:20:06, 3]
smbd/sesssetup.c:reply_spnego_negotiate(483)
  Got secblob of size 1340
[2005/10/28 15:20:06, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [16] failed to decrypt
with error Message size is incompatible with encryption type
[2005/10/28 15:20:06, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [5] failed to decrypt
with error Message size is incompatible with encryption type
[2005/10/28 15:20:06, 3]
smbd/sesssetup.c:reply_spnego_kerberos(179)
  Ticket name is [user at DOMAIN.COM]
[2005/10/28 15:20:06, 1]
smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username DOMAIN\user is invalid on this system


More information about the samba mailing list