[Samba] "smbclient -k" fails, used to work - kinit still ok

Vince Negri vnegri at asl-electronics.co.uk
Mon Dec 11 11:44:33 GMT 2006 

Hi All,

I've run into a strange problem, which so far I haven't seen reported by anyone else recently.
A while back I set up a Linux box (SUSE 9.2) to authenticate (using kerberos) against a w2k3
AD domain. A nice side effect of this was that I could use "smbclient -k" and save typing in
my password again.

I didn't have cause to use smbclient for some time, until the other day, when I found that
"smbclient -k" no longer worked. Basic kerberos login was still fine (i.e. kinit worked,
PAM kerberos integration still good)

Investigating further, I went over to a fresh SuSE 10.1 installation and upgraded it to
the latest Samba release (3.0.23d). I then followed the steps in the main HOWTO. 
Still no dice - this is what happens:

xx at xxx:~/xxxxx> smbclient -k -d 4  //asl4/xxxxx
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = ASL-LAN
doing parameter printing = cups
doing parameter printcap name = cups
doing parameter printcap cache time = 750
doing parameter cups options = raw
doing parameter map to guest = Bad User
doing parameter include = /etc/samba/dhcp.conf
params.c:pm_process() - Processing configuration file "/etc/samba/dhcp.conf"
doing parameter wins server = eth0:192.168.102.12 eth0:192.168.202.5
doing parameter logon path = \\%L\profiles\.msprofile
doing parameter logon home = \\%L\%U\.9xprofile
doing parameter logon drive = P:
doing parameter usershare allow guests = Yes
doing parameter client use spnego = yes
doing parameter password server = asl4.asl.lan
doing parameter realm = ASL.LAN
doing parameter security = ADS
pm_process() returned Yes
added interface ip=192.168.102.91 bcast=192.168.102.255 nmask=255.255.255.0
Client started (version 3.0.23d-5.1.39-1084-SUSE-CODE10).
resolve_lmhosts: Attempting lmhosts lookup for name asl4<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
resolve_wins: Attempting wins lookup for name asl4<0x20>
wins_srv_is_dead: 192.168.102.12 is alive
wins_srv_is_dead: 192.168.102.12 is alive
resolve_wins: using WINS server 192.168.102.12 and tag 'eth0'
nmb packet from 192.168.102.12(137) header: id=18191 opcode=Query(0) response=Yes
    header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes
    header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
    answers: nmb_name=ASL4<20> rr_type=32 rr_class=1 ttl=0
    answers   0 char `...f.   hex 6000C0A8660C
Got a positive name query response from 192.168.102.12 ( 192.168.102.12 )
Connecting to 192.168.102.12 at port 445
 session request ok
Doing spnego session setup (blob length=101)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=asl4$@ASL.LAN
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_1001] expiration Mon, 11 Dec 2006 21:17:50 GMT
read_socket_with_timeout: timeout read. read error = Connection reset by peer.
SPNEGO login failed: NT_STATUS_INVALID_NETWORK_RESPONSE
session setup failed: Read error: Connection reset by peer

In essence, the server "asl4" (which is the w2k3 server) appears to close the connection and kick me off.

However, it has granted me a ticket - as shown by klist:

Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: xx at ASL.LAN

Valid starting     Expires            Service principal
12/11/06 11:19:15  12/11/06 21:17:50  krbtgt/ASL.LAN at ASL.LAN
        renew until 12/12/06 11:19:15
12/11/06 11:19:08  12/11/06 21:17:50  asl4$@ASL.LAN
        renew until 12/12/06 11:19:15


Using smbclient in the traditional way (supplying a username and password) works perfectly.
I assume that some recent win2k3 patch or update has changed things, because I used to
have a working system - but I haven't seen anyone else posting a similar problem to the list
or bugzilla.

I'm very happy to run tests, gather more information, etc. - just need a pointer as to
where to look next!

Cheers

Vince

More information about the samba mailing list