[Samba] Samba 3.2.7 and XP authentication error
Waltari Harri
Harri.Waltari at deltamarin.com
Thu Jan 29 11:52:17 GMT 2009
List,
Long and confusing message follows...
I'm facing a frustrating problem. XP clients can use resoures on the
samba server by IP-address, but not by name. So, "net view \\servername"
gives "access denied" but "net view \\ipaddress" gives list of shared
resources.
Samba server (3.2.7 sernet rpm) is a member server in W2003 domain.
I emphasise that with version 3.2.2 or 3.2.3 (around Oct..Nov 2007) and
exactly same configuration everything did work perfectly. After that
there has been a couple months worth of win hotfixes and upgrade to
3.2.7.
I did read the change texts, but didn't find a clue there.
Below is level 5 log when client does "net view":
[2009/01/28 11:03:39, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2009/01/28 11:03:39, 3]
libads/kerberos_verify.c:ads_verify_ticket(458)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2009/01/28 11:03:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
I foud a entry in bugzilla
(https://bugzilla.samba.org/show_bug.cgi?id=1010). The symptoms are the
same but I do not have "permitted enctypes" defined in the krb5.conf.
Like in the bugzilla entry, command line authentication works, but
somehow samba just cant use it.
# wbinfo -a userid%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
Samba does not try to communicate with the domain controllers when
client does "net view". Here's a capture of what happens (192.168.2.6 is
the samba server and .128 is the xp client):
Capturing on eth0
0.000000 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [SYN,
ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 WS=7
0.000792 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [ACK]
Seq=1 Ack=137 Win=54 Len=0
0.003626 192.168.2.6 -> 192.168.2.128 SMB Negotiate Protocol Response
0.004591 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [ACK]
Seq=197 Ack=1729 Win=100 Len=0
0.006558 192.168.2.6 -> 192.168.2.128 SMB Session Setup AndX Response,
Error: STATUS_LOGON_FAILURE
Samba should have asked authentication from the AD DC, right?
So I think that the tickets are cached somewhere. But where? And if they
are, how to purge the tickets? As root only ticket klist is the one
which was used when the system was setup. Deleting that ticket and
renewing does not help.
------------------------------
smb.conf:
[global]
log level = 5
server string = IT-testi (Samba 3.2.7)
workgroup = WG-NAME
load printers = no
realm = ORG.LOCAL
security = ads
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap domains = WG-NAME
idmap config WG-NAME:default = yes
idmap config WG-NAME:backend = rid
idmap config WG-NAME:range = 100-200000
ifmap config WG-NAME:base_rid = 1
allow trusted domains = no
winbind refresh tickets = true
inherit permissions = yes
------------------------------
krb5.conf
kerberos works via DNS. This is based on an article (which I can't
locate at the moment) in samba wiki.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ORG.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 76h
forwardable = yes
[realms]
[domain_realm]
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Any help is appreciated.
Harri
More information about the samba
mailing list