[Samba] Failed to verify incoming ticket
Brian Atkins
batkins at tlcdelivers.com
Sat Jan 13 01:12:55 GMT 2007
I am running samba 3.0.23d on Gentoo. I have a particularly problematic
server that is a domain member of our AD domain.
After joining the domain, shares are available and user credentials work
just fine. Then, suddenly for no apparent reason, it stops working. And,
then again, just as quickly as the problem starts, it goes away. I have
looked at this thing as many ways as I can possibly think of, but have
not yet found the culprit. From everything I've seen, the issue points
to Kerberos.
I used a plain vanilla approach to join it to the domain:
Installed samba, winbind, mit-krb5, and pam modules:
USE="ldap kerberos winbind pam" emerge samba
Edited krb5.conf (see below) and ran -
kinit administrator
klist reveals:
klist: You have no tickets cached
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at MYDOMAIN.COM
Valid starting Expires Service principal
01/12/07 19:46:02 01/12/07 20:26:02
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
Edited nsswitch.conf (see below).
Edited smb.conf (see below) and ran -
net ads join -U adminstrator
and got:
Using short domain name -- MYDOMAIN
Joined 'TESTBOX' to realm 'MYDOMAIN.COM'
I started samba:
/etc/init.d/samba start
* samba -> start: smbd ... [ ok ]
* samba -> start: nmbd ... [ ok ]
* samba -> start: winbind ... [ ok ]
However, accessing a share from a windows machine (doesn't appear to
matter the version), I get prompted for credentials. Upon entering them,
I get Logon failed. As I write this, I have a XP box that is allowing me
to access the share, but a 2K3 server that fails - same credentials. If
I use the ip address, it succeeds every time.
In the samba client logs I see:
[2007/01/12 19:56:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(202)
Failed to verify incoming ticket!
Occasionally in log.winbind I get:
[2007/01/12 19:22:18, 1] nsswitch/winbindd_ads.c:query_user_list(218)
Not a user account? atype=0x30000000
I also see some weirdness with wbinfo. When displaying users, I see only
user accounts, while on my other servers, I see user and computer accounts.
KRB5.CONF:
==========
[libdefaults]
default_realm = MYDOMAIN.COM
ticket_lifetime = 2400
clockskew = 300
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
dns_lookup_kdc = false
dns_lookup_realm = false
kdc_timesync = true
[realms]
MYDOMAIN.COM = {
kdc = dcm.mydomain.com
admin_server = dcm.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
SMB.CONF:
=========
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
netbios name = TESTBOX
server string = TESTBOX
interfaces = 192.168.1.28 127.
bind interfaces only = yes
security = ADS
log file = /var/log/samba/log.%m
max log size = 8164
name resolve order = hosts wins bcast
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
os level = 5
preferred master = no
local master = no
domain master = no
dns proxy = no
wins proxy = no
wins server = 192.168.1.124
template shell = /bin/bash
unix extensions = no
template home dir = /home/%D/%U
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
hosts allow = 192.168. 127.
load printers = no
smb ports = 139
NSSWITCH.CONF:
==============
passwd: compat winbind
shadow: compat
group: compat winbind
hosts: files dns wins
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
--
Brian
More information about the samba
mailing list