[Samba] Samba 4 Kerberos: Failed to decrypt PA-DATA

steve steve at steve-ss.com
Thu Dec 22 14:32:46 MST 2011


Hi everyone

After almost 2 days up-time with Samba 4, it failed again. This time it 
simply will not restart.

The krb5.conf had got corrupted. I replaced it with this one from 
/usr/local/samba/private

/etc/krb5.conf
[libdefaults]
     default_realm = HH3.SITE
     dns_lookup_realm = false
     dns_lookup_kdc = true

It starts up OK:
samba -i -d 3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file 
"/usr/local/samba/etc/smb.conf"
samba version 4.0.0alpha18-GIT-bfc7481 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'default' for type 1 registered
NTVFS backend 'posix' for type 1 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 3 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifs' for type 1 registered
NTVFS backend 'smb2' for type 1 registered
NTVFS backend 'simple' for type 1 registered
NTVFS backend 'cifsposix' for type 1 registered
NTVFS backend 'default' for type 3 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'nbench' for type 1 registered
PROCESS_MODEL 'single' registered
PROCESS_MODEL 'standard' registered
PROCESS_MODEL 'onefork' registered
PROCESS_MODEL 'prefork' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
AUTH backend 'anonymous' registered
AUTH backend 'server' registered
AUTH backend 'winbind' registered
AUTH backend 'winbind_wbclient' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'fixed_challenge' registered
AUTH backend 'unix' registered
SHARE backend [classic] registered.
SHARE backend [ldb] registered.
ldb_wrap open of privilege.ldb
samba: using 'standard' process model
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'remote' registered
DCERPC endpoint server 'srvsvc' registered
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'winreg' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
DCERPC endpoint server 'backupkey' registered
DCERPC endpoint server 'spoolss' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'browser' registered
DCERPC endpoint server 'eventlog6' registered
DCERPC endpoint server 'dnsserver' registered
WARNING: no socket to connect to
ldb_wrap open of secrets.ldb
ldb_wrap open of idmap.ldb
Calling DNS name update script
Calling SPN name update script
kccsrv_partition[DC=hh3,DC=site] loaded
kccsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
kccsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
kccsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
dreplsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
dreplsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
dreplsrv_partition[DC=hh3,DC=site] loaded
dreplsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
dreplsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
kccsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
Completed SPN update check OK
Completed DNS update check OK
Registered HH3<00> with 192.168.1.3 on interface 192.168.1.255
Registered HH3<03> with 192.168.1.3 on interface 192.168.1.255
Registered HH3<20> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<1b> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<1c> with 192.168.1.3 on interface 192.168.1.255
Registered CACTUS<00> with 192.168.1.3 on interface 192.168.1.255


And this works:

  kinit Administrator at HH3.SITE
Password for Administrator at HH3.SITE:
Warning: Your password will expire in 40 days on Tue Jan 31 23:40:57 2012

Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:39949 for 
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
Administrator at HH3.SITE
Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:33899 for 
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at HH3.SITE 
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2011-12-22T22:19:54 starttime: unset endtime: 
2011-12-23T08:19:54 renew till: 2011-12-23T22:19:47
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using 
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok

Then this fails:

  wbinfo -u
Error looking up domain users

Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED]
ldb_wrap open of secrets.ldb
using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:58803 for 
krbtgt/HH3.SITE at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:49440 for 
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE (enctype 
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE
Wrong username or password: kinit for HH3$@HH3.SITE failed 
(Preauthentication failed)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED]

And this:

  wbinfo -i Administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user Administrator

ldb_wrap open of secrets.ldb
using SPNEGO
Selected protocol [8][NT LANMAN 1.0]
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:38518 for 
krbtgt/HH3.SITE at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:53444 for 
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE (enctype 
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE
Wrong username or password: kinit for HH3$@HH3.SITE failed 
(Preauthentication failed)

SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
standard_terminate: reason[NT_STATUS_END_OF_FILE]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED]

Any ideas anyone?
Thanks
Steve







More information about the samba mailing list