[Samba] Samba 4 Kerberos: Failed to decrypt PA-DATA
steve
steve at steve-ss.com
Thu Dec 22 14:32:46 MST 2011
Hi everyone
After almost 2 days up-time with Samba 4, it failed again. This time it
simply will not restart.
The krb5.conf had got corrupted. I replaced it with this one from
/usr/local/samba/private
/etc/krb5.conf
[libdefaults]
default_realm = HH3.SITE
dns_lookup_realm = false
dns_lookup_kdc = true
It starts up OK:
samba -i -d 3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
samba version 4.0.0alpha18-GIT-bfc7481 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'default' for type 1 registered
NTVFS backend 'posix' for type 1 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 3 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifs' for type 1 registered
NTVFS backend 'smb2' for type 1 registered
NTVFS backend 'simple' for type 1 registered
NTVFS backend 'cifsposix' for type 1 registered
NTVFS backend 'default' for type 3 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'nbench' for type 1 registered
PROCESS_MODEL 'single' registered
PROCESS_MODEL 'standard' registered
PROCESS_MODEL 'onefork' registered
PROCESS_MODEL 'prefork' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
AUTH backend 'anonymous' registered
AUTH backend 'server' registered
AUTH backend 'winbind' registered
AUTH backend 'winbind_wbclient' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'fixed_challenge' registered
AUTH backend 'unix' registered
SHARE backend [classic] registered.
SHARE backend [ldb] registered.
ldb_wrap open of privilege.ldb
samba: using 'standard' process model
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'remote' registered
DCERPC endpoint server 'srvsvc' registered
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'winreg' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
DCERPC endpoint server 'backupkey' registered
DCERPC endpoint server 'spoolss' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'browser' registered
DCERPC endpoint server 'eventlog6' registered
DCERPC endpoint server 'dnsserver' registered
WARNING: no socket to connect to
ldb_wrap open of secrets.ldb
ldb_wrap open of idmap.ldb
Calling DNS name update script
Calling SPN name update script
kccsrv_partition[DC=hh3,DC=site] loaded
kccsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
kccsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
kccsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
dreplsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
dreplsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
dreplsrv_partition[DC=hh3,DC=site] loaded
dreplsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
dreplsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
kccsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
Completed SPN update check OK
Completed DNS update check OK
Registered HH3<00> with 192.168.1.3 on interface 192.168.1.255
Registered HH3<03> with 192.168.1.3 on interface 192.168.1.255
Registered HH3<20> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<1b> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<1c> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<00> with 192.168.1.3 on interface 192.168.1.255
And this works:
kinit Administrator at HH3.SITE
Password for Administrator at HH3.SITE:
Warning: Your password will expire in 40 days on Tue Jan 31 23:40:57 2012
Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:39949 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
Administrator at HH3.SITE
Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:33899 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at HH3.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2011-12-22T22:19:54 starttime: unset endtime:
2011-12-23T08:19:54 renew till: 2011-12-23T22:19:47
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Then this fails:
wbinfo -u
Error looking up domain users
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:58803 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:49440 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE
Wrong username or password: kinit for HH3$@HH3.SITE failed
(Preauthentication failed)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
And this:
wbinfo -i Administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user Administrator
ldb_wrap open of secrets.ldb
using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:38518 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:53444 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE
Wrong username or password: kinit for HH3$@HH3.SITE failed
(Preauthentication failed)
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
Any ideas anyone?
Thanks
Steve
More information about the samba
mailing list