[Samba] Authentication problems with win2k3 domain controller

Fredrik Lindberg fredrik.lindberg at tangram.se
Wed Mar 22 12:30:49 GMT 2006 

Hi

I'm having problems with samba-3.0.21b and Windows Server 2003 domain
controllers.
When I try to access the samba server from a client (\\sambasrv) I
only get a login prompt, no username/password combination works.
Accessing the samba server through its IP-number instead of
using the netbios name works.
This together with the log message "Failed to verify incoming ticket!"
suggests this is some kind of kerberos error.

Samba is linked to heimdal 0.6.3 and I've no problems getting
tickets from the DCs.
My krb5.conf looks like this (with some private bits removed)

[libdefaults]
         default_realm      = MYREALM.COM
         default_etypes     = des-cbc-crc des-cbc-md5
         default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
          MYREALM.COM= {
                 kdc = tcp/10.0.0.239
                 default_domain = myrealm.com
         }
[domain_realm]
         .myrealm.com = MYREALM.COM
         myrealm.com = MYREALM.COM

net ads join/leave works and testjoin returns OK.
net ads lookup gives the following
Information for Domain Controller: dc01

Response Type: SAMLOGON
GUID: 0c38d942-f0a7-4ade-87ae-30b5cf9ae485
Flags:
         Is a PDC:                                   yes
         Is a GC of the forest:                      no
         Is an LDAP server:                          yes
         Supports DS:                                yes
         Is running a KDC:                           yes
         Is running time services:                   yes
         Is the closest DC:                          yes
         Is writable:                                yes
         Has a hardware clock:                       yes
         Is a non-domain NC serviced by LDAP server: no
Forest:                 myrealm.com
Domain:                 myrealm.com
Domain Controller:      dc01.myrealm.com
Pre-Win2k Domain:       MYREALM
Pre-Win2k Hostname:     DC01
Site Name:              Default-First-Site-Name
Site Name (2):          Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

Also, winbind seems to work ok. wbinfo -u lists all the users and I
can authenticate users with wbinfo -a user%pass.

This is a part of the log file generated when I try to access the
samba server using its netbios name

[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X(822)
   wct=12 flg2=0xc807
[2006/03/22 11:41:46, 2] smbd/sesssetup.c:setup_new_vc_session(772)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(633)
   Doing spnego session setup
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(664)
   NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 
2002 5.1] PrimaryDomain=[]
[2006/03/22 11:41:46, 10] lib/util.c:set_remote_arch(2033)
   set_remote_arch: Client arch is 'WinXP'
[2006/03/22 11:41:46, 10] smbd/password.c:register_vuid(182)
   register_vuid: allocated vuid = 100
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525)
   Got OID 1 2 840 48018 1 2 2
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525)
   Got OID 1 2 840 113554 1 2 2
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525)
   Got OID 1 3 6 1 4 1 311 2 2 10
[2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(528)
   Got secblob of size 1254
[2006/03/22 11:41:46, 10] passdb/secrets.c:secrets_named_mutex(811)
   secrets_named_mutex: got mutex for replay cache mutex
[2006/03/22 11:41:46, 3] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(249)
   ads_secrets_verify_ticket: enc type [1] failed to decrypt with error 
Message size is incompatible with encryption type
[2006/03/22 11:41:46, 3] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(249)
   ads_secrets_verify_ticket: enc type [3] failed to decrypt with error 
Message size is incompatible with encryption type
[2006/03/22 11:41:46, 10] passdb/secrets.c:secrets_named_mutex_release(823)
   secrets_named_mutex: released mutex for replay cache mutex
[2006/03/22 11:41:46, 3] libads/kerberos_verify.c:ads_verify_ticket(378)
   ads_verify_ticket: krb5_rd_req with auth failed (Unknown error: 0)
[2006/03/22 11:41:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(180)
   Failed to verify incoming ticket!
[2006/03/22 11:41:46, 3] smbd/error.c:error_packet(146)
   error packet at smbd/sesssetup.c(182) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE

I found a reference in the mail archives suggesting that I should
re-join the machine. I tried that without success.
I also tried the KdcUseRequestedEtypesForTickets hotfix from Microsoft,
that didn't help either.

Any hints on what I could try next?, All suggestions are more
than welcome.

Since using the ip-number instead of the netbios name works, and that
seemed to use NTLM authentication instead of kerberos, I would be
happy with a compromise if there is a way to force clients to use
NTLM authentication.

I'll be happy to provide any additional information if needed.
Thank you,
	Fredrik Lindberg

Here is my smb.conf
[global]
    workgroup = MYREALM
    server string = Samba Server
    netbios name = sambasrv01
    security = ADS
    log file = /var/log/samba/log.%m
    max log size = 50
    password server = 10.0.0.239
    realm = MYREALM.COM
    socket options = TCP_NODELAY
    wins server = 10.0.0.239
    dns proxy = no
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind use default domain = Yes
    winbind nested groups = Yes
    template shell = /usr/sbin/nologin
    auth methods = winbind
    nt acl support = Yes
    preserve case = Yes
    valid users = @"Domain Users"
    inherit permissions = yes

[Volume]
     comment = Storage volume
     path = /export
     browseable = yes
     writeable = yes
     directory mask = 0775

More information about the samba mailing list