[Samba] Authentication problems with win2k3 domain controller
Fredrik Lindberg
fredrik.lindberg at tangram.se
Wed Mar 22 12:30:49 GMT 2006
Hi
I'm having problems with samba-3.0.21b and Windows Server 2003 domain
controllers.
When I try to access the samba server from a client (\\sambasrv) I
only get a login prompt, no username/password combination works.
Accessing the samba server through its IP-number instead of
using the netbios name works.
This together with the log message "Failed to verify incoming ticket!"
suggests this is some kind of kerberos error.
Samba is linked to heimdal 0.6.3 and I've no problems getting
tickets from the DCs.
My krb5.conf looks like this (with some private bits removed)
[libdefaults]
default_realm = MYREALM.COM
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
MYREALM.COM= {
kdc = tcp/10.0.0.239
default_domain = myrealm.com
}
[domain_realm]
.myrealm.com = MYREALM.COM
myrealm.com = MYREALM.COM
net ads join/leave works and testjoin returns OK.
net ads lookup gives the following
Information for Domain Controller: dc01
Response Type: SAMLOGON
GUID: 0c38d942-f0a7-4ade-87ae-30b5cf9ae485
Flags:
Is a PDC: yes
Is a GC of the forest: no
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Forest: myrealm.com
Domain: myrealm.com
Domain Controller: dc01.myrealm.com
Pre-Win2k Domain: MYREALM
Pre-Win2k Hostname: DC01
Site Name: Default-First-Site-Name
Site Name (2): Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
Also, winbind seems to work ok. wbinfo -u lists all the users and I
can authenticate users with wbinfo -a user%pass.
This is a part of the log file generated when I try to access the
samba server using its netbios name
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X(822)
wct=12 flg2=0xc807
[2006/03/22 11:41:46, 2] smbd/sesssetup.c:setup_new_vc_session(772)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(633)
Doing spnego session setup
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(664)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows
2002 5.1] PrimaryDomain=[]
[2006/03/22 11:41:46, 10] lib/util.c:set_remote_arch(2033)
set_remote_arch: Client arch is 'WinXP'
[2006/03/22 11:41:46, 10] smbd/password.c:register_vuid(182)
register_vuid: allocated vuid = 100
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525)
Got OID 1 2 840 48018 1 2 2
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525)
Got OID 1 2 840 113554 1 2 2
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525)
Got OID 1 3 6 1 4 1 311 2 2 10
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(528)
Got secblob of size 1254
[2006/03/22 11:41:46, 10] passdb/secrets.c:secrets_named_mutex(811)
secrets_named_mutex: got mutex for replay cache mutex
[2006/03/22 11:41:46, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(249)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Message size is incompatible with encryption type
[2006/03/22 11:41:46, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(249)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
Message size is incompatible with encryption type
[2006/03/22 11:41:46, 10] passdb/secrets.c:secrets_named_mutex_release(823)
secrets_named_mutex: released mutex for replay cache mutex
[2006/03/22 11:41:46, 3] libads/kerberos_verify.c:ads_verify_ticket(378)
ads_verify_ticket: krb5_rd_req with auth failed (Unknown error: 0)
[2006/03/22 11:41:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(180)
Failed to verify incoming ticket!
[2006/03/22 11:41:46, 3] smbd/error.c:error_packet(146)
error packet at smbd/sesssetup.c(182) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
I found a reference in the mail archives suggesting that I should
re-join the machine. I tried that without success.
I also tried the KdcUseRequestedEtypesForTickets hotfix from Microsoft,
that didn't help either.
Any hints on what I could try next?, All suggestions are more
than welcome.
Since using the ip-number instead of the netbios name works, and that
seemed to use NTLM authentication instead of kerberos, I would be
happy with a compromise if there is a way to force clients to use
NTLM authentication.
I'll be happy to provide any additional information if needed.
Thank you,
Fredrik Lindberg
Here is my smb.conf
[global]
workgroup = MYREALM
server string = Samba Server
netbios name = sambasrv01
security = ADS
log file = /var/log/samba/log.%m
max log size = 50
password server = 10.0.0.239
realm = MYREALM.COM
socket options = TCP_NODELAY
wins server = 10.0.0.239
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = Yes
winbind nested groups = Yes
template shell = /usr/sbin/nologin
auth methods = winbind
nt acl support = Yes
preserve case = Yes
valid users = @"Domain Users"
inherit permissions = yes
[Volume]
comment = Storage volume
path = /export
browseable = yes
writeable = yes
directory mask = 0775
More information about the samba
mailing list