[Samba] Failed to verify incoming ticket! When clients use netbios
names only!
m.bland
m.bland at momac.net
Wed Apr 4 14:48:11 GMT 2007
Hi,
I have set up our samba box in 'ADS' mode; the problem I have is clients
connecting to the server can not do so by using its netbios name. Only when
they use the IP address of the machine are they able to be authenticated and
browse the box.
When clients connect via the netbios name this message will appear in my
samba logs with the IP of the connecting client;
"smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming
ticket!"
Additionally, If a client connects successfully via the IP of the samba
server, the log file is named in the clients netbios name rather than their
IP.
eg machinenetbiosname.log will contain
[2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642)
netbiosnameofmachine (192.168.16.203) signed connect to service data
initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329)
Can some one tell me what's happening here? ;)
thor:/var/log/samba# cat /etc/samba/smb.conf
[global]
winbind use default domain = yes
winbind separator = +
client use spnego = yes
use spnego = yes
server signing = auto
client signing = auto
netbios name = THOR
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
workgroup = DOMAIN
server string = Thor
security = ads
hosts allow = 192.168.16.
load printers = no
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = SERVER01
encrypt passwords = yes
realm = DOMAIN
passdb backend = tdbsam
local master = no
domain master = no
wins support = no
wins server = 192.168.16.3
dns proxy = no
hostname lookups = yes
name resolve order = lmhosts host wins dns bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[data]
comment =
path = /data
Valid Users = +DOMAIN+"domain users"
writeable = yes
browseable = yes
[ftp]
comment = FTP area
path = /data/ftp
Valid Users = +DOMAIN+"domain users"
writeable = yes
browseable = yes
thor:/var/log/samba#
wbinfo -u works!
wbinfo -g works
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files winbind
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
cat /etc/resolv.conf
search DOMAIN.NAME
nameserver 192.168.16.3 (also the PDC)
thor:/var/log/samba# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.16.4 thor.DOMAIN.NAME thor
192.168.16.3 server01.DOMAIN.NAME server01
thor:/var/log/samba# kinit administrator@ <mailto:administrator at DOMAIN.NAME>
DOMAIN.NAME
<mailto:administrator at MOMACUK.LOCAL's> administrator@
<mailto:administrator at DOMAIN.NAME> DOMAIN.NAME
<mailto:administrator at MOMACUK.LOCAL's> 's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
thor:/var/log/samba# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.NAME
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
krb4_get_tickets = false
[realms]
DOMAIN.NAME = {
kdc = server01:88
}
[domain_realm]
.server01 = DOMAIN.NAME
server01 = DOMAIN.NAME
[kdc]
profile = /var/lib/heimdal-kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
More information about the samba
mailing list