[Samba] ads_secrets_verify_ticket: enc type [23] failed to decrypt
with error Decrypt integrity check failed
Tom Carroll
tcarroll+samba at chimesnet.com
Thu Dec 18 20:57:53 GMT 2008
Good day -
I am having problems with trusted domain authentication. I have two AD
domains, A and B. Domain A trusts B. I have a samba file server,
version 3.2.5, as member of A. Using smbclient, I can successfully
access the share using principals from either domain. Windows XP
workstations who are members of A can access the shares, but XP
workstations that are members of B fail.
Using klist, I see that the members of B have a tgt from B with enctype
RC4-HMAC [23]
From the samba logs I see the following
[2008/12/18 15:28:21, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
check_spnego_blob_complete: needed_len = 3038, pblob->length = 3038
[2008/12/18 15:28:21, 5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
[2008/12/18 15:28:21, 5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
parse_spnego_mechanisms: Got OID 1 2 840 113554 1 2 2
[2008/12/18 15:28:21, 5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
[2008/12/18 15:28:21, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 2972
[2008/12/18 15:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2008/12/18 15:28:21, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Bad encryption type
[2008/12/18 15:28:21, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
Bad encryption type
[2008/12/18 15:28:21, 3] libads/kerberos_verify.c:ads_verify_ticket(458)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2008/12/18 15:28:21, 10] libads/kerberos_verify.c:ads_verify_ticket(467)
ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
[2008/12/18 15:28:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/12/18 15:28:21, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Any help would be appreciated.
# smbd -V
Version 3.2.5
#
My smb.conf:
[global]
workgroup = BEELINEWAN
realm = BEELINEWAN.COM
server string = %h server
security = ADS
obey pam restrictions = Yes
client NTLMv2 auth = Yes
log level = 10
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
domain master = No
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-25000
idmap gid = 10000-25000
template homedir = /shares/%D/home/%U
template shell = /bin/bash
winbind use default domain = Yes
[public]
path = /shares/public
read only = No
create mask = 0770
valid users = "@A%wDomain Users" "@B%wDomain Users"
More information about the samba
mailing list