[Samba] Samba 3.2.7 and XP authentication error

Waltari Harri Harri.Waltari at deltamarin.com
Thu Jan 29 11:52:17 GMT 2009


Long and confusing message follows...
I'm facing a frustrating problem. XP clients can use resoures on the
samba server by IP-address, but not by name. So, "net view \\servername"
gives "access denied" but "net view \\ipaddress" gives list of shared

Samba server (3.2.7 sernet rpm) is a member server in W2003 domain. 

I emphasise that with version 3.2.2 or 3.2.3 (around Oct..Nov 2007) and
exactly same configuration everything did work perfectly. After that
there has been a couple months worth of win hotfixes and upgrade to
I did read the change texts, but didn't find a clue there.

Below is level 5 log when client does "net view":

[2009/01/28 11:03:39,  3]
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2009/01/28 11:03:39,  3]
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2009/01/28 11:03:39,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

I foud a entry in bugzilla
(https://bugzilla.samba.org/show_bug.cgi?id=1010). The symptoms are the
same but I do not have "permitted enctypes" defined in the krb5.conf.
Like in the bugzilla entry, command line authentication works, but
somehow samba just cant use it.

# wbinfo -a userid%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Samba does not try to communicate with the domain controllers when
client does "net view". Here's a capture of what happens ( is
the samba server and .128 is the xp client):
Capturing on eth0
  0.000000 -> TCP microsoft-ds > 15644 [SYN,
ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 WS=7
  0.000792 -> TCP microsoft-ds > 15644 [ACK]
Seq=1 Ack=137 Win=54 Len=0
  0.003626 -> SMB Negotiate Protocol Response
  0.004591 -> TCP microsoft-ds > 15644 [ACK]
Seq=197 Ack=1729 Win=100 Len=0
  0.006558 -> SMB Session Setup AndX Response,

Samba should have asked authentication from the AD DC, right?
So I think that the tickets are cached somewhere. But where? And if they
are, how to purge the tickets? As root only ticket klist is the one
which was used when the system was setup. Deleting that ticket and
renewing does not help.

        log level = 5
        server string = IT-testi (Samba 3.2.7)
        workgroup = WG-NAME
        load printers = no
        realm = ORG.LOCAL
        security = ads
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        idmap domains = WG-NAME
        idmap config WG-NAME:default = yes
        idmap config WG-NAME:backend = rid
        idmap config WG-NAME:range = 100-200000
        ifmap config WG-NAME:base_rid = 1
        allow trusted domains = no
        winbind refresh tickets = true
        inherit permissions = yes

kerberos works via DNS. This is based on an article (which I can't
locate at the moment) in samba wiki.

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = ORG.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 76h
 forwardable = yes



 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

Any help is appreciated.


More information about the samba mailing list