[Samba] Failed to verify incoming ticket

Brian Atkins batkins at tlcdelivers.com
Sat Jan 13 01:12:55 GMT 2007


I am running samba 3.0.23d on Gentoo. I have a particularly problematic 
server that is a domain member of our AD domain.

After joining the domain, shares are available and user credentials work 
just fine. Then, suddenly for no apparent reason, it stops working. And, 
then again, just as quickly as the problem starts, it goes away. I have 
looked at this thing as many ways as I can possibly think of, but have 
not yet found the culprit. From everything I've seen, the issue points 
to Kerberos.

I used a plain vanilla approach to join it to the domain:

Installed samba, winbind, mit-krb5, and pam modules:
	USE="ldap kerberos winbind pam" emerge samba

Edited krb5.conf (see below) and ran -
	kinit administrator

klist reveals:
	klist: You have no tickets cached
	Ticket cache: FILE:/tmp/krb5cc_0
	Default principal: administrator at MYDOMAIN.COM

	Valid starting     Expires            Service principal
	01/12/07 19:46:02  01/12/07 20:26:02  	
		krbtgt/MYDOMAIN.COM at MYDOMAIN.COM

Edited nsswitch.conf (see below).

Edited smb.conf (see below) and ran -
	net ads join -U adminstrator

and got:
	Using short domain name -- MYDOMAIN
	Joined 'TESTBOX' to realm 'MYDOMAIN.COM'

I started samba:
	/etc/init.d/samba start
  	* samba -> start: smbd ...    [ ok ]
  	* samba -> start: nmbd ...    [ ok ]
  	* samba -> start: winbind ... [ ok ]

However, accessing a share from a windows machine (doesn't appear to 
matter the version), I get prompted for credentials. Upon entering them, 
I get Logon failed. As I write this, I have a XP box that is allowing me 
to access the share, but a 2K3 server that fails - same credentials. If 
I use the ip address, it succeeds every time.

In the samba client logs I see:
[2007/01/12 19:56:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(202)
   Failed to verify incoming ticket!

Occasionally in log.winbind I get:
[2007/01/12 19:22:18, 1] nsswitch/winbindd_ads.c:query_user_list(218)
   Not a user account? atype=0x30000000

I also see some weirdness with wbinfo. When displaying users, I see only 
user accounts, while on my other servers, I see user and computer accounts.

KRB5.CONF:
==========
[libdefaults]
         default_realm           = MYDOMAIN.COM
         ticket_lifetime         = 2400
         clockskew               = 300
         default_tkt_enctypes    = des-cbc-crc des-cbc-md5
         default_tgs_enctypes    = des-cbc-crc des-cbc-md5
         forwardable             = true
         dns_lookup_kdc          = false
         dns_lookup_realm        = false
         kdc_timesync            = true

[realms]
         MYDOMAIN.COM = {
                 kdc             = dcm.mydomain.com
                 admin_server    = dcm.mydomain.com
                 default_domain  = mydomain.com
         }

[domain_realm]
         .mydomain.com = MYDOMAIN.COM
         mydomain.com = MYDOMAIN.COM

[logging]
         kdc                     = FILE:/var/log/krb5kdc.log
         admin_server            = FILE:/var/log/kadmin.log
         default                 = FILE:/var/log/krb5lib.log

SMB.CONF:
=========
[global]
         workgroup = MYDOMAIN
         realm = MYDOMAIN.COM
         netbios name = TESTBOX
         server string = TESTBOX
         interfaces = 192.168.1.28 127.
         bind interfaces only = yes
         security = ADS
         log file = /var/log/samba/log.%m
         max log size = 8164
         name resolve order = hosts wins bcast
         socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
         os level = 5
         preferred master = no
         local master = no
         domain master = no
         dns proxy = no
         wins proxy = no
         wins server = 192.168.1.124
         template shell = /bin/bash
         unix extensions = no
         template home dir = /home/%D/%U
         winbind enum users = yes
         winbind uid = 10000-20000
         winbind gid = 10000-20000
         winbind enum groups = yes
         winbind separator = +
         winbind use default domain = yes
         encrypt passwords = yes
         hosts allow = 192.168. 127.
         load printers = no
         smb ports = 139

NSSWITCH.CONF:
==============
passwd:      compat winbind
shadow:      compat
group:       compat winbind
hosts:       files dns wins
networks:    files dns
services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files
automount:   files
aliases:     files


-- 
Brian


More information about the samba mailing list