[Samba] weird kerberos enctype error on otherwise working 3.0.23d
install
Jason Haar
Jason.Haar at trimble.co.nz
Thu Dec 21 08:09:40 GMT 2006
I have a Samba-3.0.23d installed on a CentOS4.4 server that cannot be
connected to from other machines in the same W2K3 ADS. The server was
added to the ADS successfully via "kinit admin at REALM" and "net ads
testjoin" works just fine. The clocks are NTP-synced and no clock slew
errors are to be seen.
If WinXP/Win2K3 clients connect using \\ip.address\ it works fine, but
if they use the hostname (short or FQDN), they fail to connect (even to
get a share listing). They are prompted to login, and if they enter the
very same username and password they are currently logged under Windows
with - it works!
It is almost definitely a Kerberos problem. Looks like a failed ticket
exchange, leading to the failed login, and when the user manually types
in their creds again, it does a NT4-style connect and it works?
Anyway, "log level = 9" shows the failed connection showing errors like:
[2006/12/21 07:56:19, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2006/12/21 07:56:19, 3] libads/kerberos_verify.c:ads_verify_ticket(399)
ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2006/12/21 07:56:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(202)
Failed to verify incoming ticket!
[2006/12/21 07:56:19, 3] smbd/error.c:error_packet(146)
error packet at smbd/sesssetup.c(204) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2006/12/21 07:56:19, 5] lib/util.c:show_msg(485)
I have re-added the machine to the domain without any change. Any other
ideas? I have just finished adding 16 Samba servers to 4 different
domains and this is the only one to fail in such a way. I'm a bit stumped...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba
mailing list