[Samba] ADS share browsing error - Decrypt integrity check failed

[Peter Trifonov]

Hello everyone,

There is a FreeBSD box, which is a member of ADS domain. The domain has both
W2000 
and W2003 domain controllers.
After upgrading to samba-3.0.23a I discovered that it is not possible to
browse a share on a FreeBSD computer, but pam_winbind seems to work. 

Connecting from a WindowsXP box to the FreeBSD causes WinXP to ask for a
password a number of times, and
eventually say "access  denied".


Smbd log file (log level 3) piece corresponding to this attempt looks like
this:

  Doing spnego session setup
[2006/08/01 13:12:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(687)
  NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2006/08/01 13:12:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(547)
  Got OID 1 2 840 48018 1 2 2
[2006/08/01 13:12:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(547)
  Got OID 1 2 840 113554 1 2 2
[2006/08/01 13:12:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(547)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2006/08/01 13:12:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(550)
  Got secblob of size 1151
[2006/08/01 13:12:38, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Decrypt integrity check failed
[2006/08/01 13:12:38, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
Decrypt integrity check failed
[2006/08/01 13:12:38, 3] smbd/sesssetup.c:reply_spnego_kerberos(207)
  Ticket name is [UserName at DOMAIN.REALM]
[2006/08/01 13:12:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
  Username DOMAIN/UserName is invalid on this system
[2006/08/01 13:12:38, 3] smbd/error.c:error_packet(146)
  error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

Everything worked smoothly with samba 3.0.22


With best regards,
P. Trifonov