[Samba] Samba 3.2.7 and XP authentication error
Adam Williams
awilliam at mdah.state.ms.us
Thu Jan 29 16:30:41 GMT 2009
i had a similar problem on 3.0.25 or so and up, and putting msdfs root =
yes in the global section fixed it for me.
Waltari Harri wrote:
> List,
>
> Long and confusing message follows...
> I'm facing a frustrating problem. XP clients can use resoures on the
> samba server by IP-address, but not by name. So, "net view \\servername"
> gives "access denied" but "net view \\ipaddress" gives list of shared
> resources.
>
> Samba server (3.2.7 sernet rpm) is a member server in W2003 domain.
>
> I emphasise that with version 3.2.2 or 3.2.3 (around Oct..Nov 2007) and
> exactly same configuration everything did work perfectly. After that
> there has been a couple months worth of win hotfixes and upgrade to
> 3.2.7.
> I did read the change texts, but didn't find a clue there.
>
>
> Below is level 5 log when client does "net view":
>
> [2009/01/28 11:03:39, 3]
> libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2009/01/28 11:03:39, 3]
> libads/kerberos_verify.c:ads_verify_ticket(458)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2009/01/28 11:03:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>
> I foud a entry in bugzilla
> (https://bugzilla.samba.org/show_bug.cgi?id=1010). The symptoms are the
> same but I do not have "permitted enctypes" defined in the krb5.conf.
> Like in the bugzilla entry, command line authentication works, but
> somehow samba just cant use it.
>
> # wbinfo -a userid%password
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> Samba does not try to communicate with the domain controllers when
> client does "net view". Here's a capture of what happens (192.168.2.6 is
> the samba server and .128 is the xp client):
> Capturing on eth0
> 0.000000 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [SYN,
> ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 WS=7
> 0.000792 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [ACK]
> Seq=1 Ack=137 Win=54 Len=0
> 0.003626 192.168.2.6 -> 192.168.2.128 SMB Negotiate Protocol Response
> 0.004591 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [ACK]
> Seq=197 Ack=1729 Win=100 Len=0
> 0.006558 192.168.2.6 -> 192.168.2.128 SMB Session Setup AndX Response,
> Error: STATUS_LOGON_FAILURE
>
> Samba should have asked authentication from the AD DC, right?
> So I think that the tickets are cached somewhere. But where? And if they
> are, how to purge the tickets? As root only ticket klist is the one
> which was used when the system was setup. Deleting that ticket and
> renewing does not help.
>
> ------------------------------
> smb.conf:
> [global]
> log level = 5
> server string = IT-testi (Samba 3.2.7)
> workgroup = WG-NAME
> load printers = no
> realm = ORG.LOCAL
> security = ads
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> idmap domains = WG-NAME
> idmap config WG-NAME:default = yes
> idmap config WG-NAME:backend = rid
> idmap config WG-NAME:range = 100-200000
> ifmap config WG-NAME:base_rid = 1
> allow trusted domains = no
> winbind refresh tickets = true
> inherit permissions = yes
>
> ------------------------------
> krb5.conf
> kerberos works via DNS. This is based on an article (which I can't
> locate at the moment) in samba wiki.
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = ORG.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 76h
> forwardable = yes
>
> [realms]
>
> [domain_realm]
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
>
> Any help is appreciated.
>
>
> Harri
>
More information about the samba
mailing list