[Samba] Samba 4 Kerberos: Failed to decrypt PA-DATA

Günter Kukkukk linux at kukkukk.com
Thu Dec 22 22:34:40 MST 2011


On Thursday 22 December 2011 22:32:46 steve wrote:
> Hi everyone
> 
> After almost 2 days up-time with Samba 4, it failed again. This time it
> simply will not restart.
> 
> The krb5.conf had got corrupted. I replaced it with this one from
> /usr/local/samba/private
> 
> /etc/krb5.conf
> [libdefaults]
>      default_realm = HH3.SITE
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 
> It starts up OK:
> samba -i -d 3
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
> samba version 4.0.0alpha18-GIT-bfc7481 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2011
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> NTPTR backend 'simple_ldb'
> NTVFS backend 'default' for type 1 registered
> NTVFS backend 'posix' for type 1 registered
> NTVFS backend 'unixuid' for type 1 registered
> NTVFS backend 'unixuid' for type 3 registered
> NTVFS backend 'unixuid' for type 2 registered
> NTVFS backend 'cifs' for type 1 registered
> NTVFS backend 'smb2' for type 1 registered
> NTVFS backend 'simple' for type 1 registered
> NTVFS backend 'cifsposix' for type 1 registered
> NTVFS backend 'default' for type 3 registered
> NTVFS backend 'default' for type 2 registered
> NTVFS backend 'nbench' for type 1 registered
> PROCESS_MODEL 'single' registered
> PROCESS_MODEL 'standard' registered
> PROCESS_MODEL 'onefork' registered
> PROCESS_MODEL 'prefork' registered
> AUTH backend 'sam' registered
> AUTH backend 'sam_ignoredomain' registered
> AUTH backend 'anonymous' registered
> AUTH backend 'server' registered
> AUTH backend 'winbind' registered
> AUTH backend 'winbind_wbclient' registered
> AUTH backend 'name_to_ntstatus' registered
> AUTH backend 'fixed_challenge' registered
> AUTH backend 'unix' registered
> SHARE backend [classic] registered.
> SHARE backend [ldb] registered.
> ldb_wrap open of privilege.ldb
> samba: using 'standard' process model
> DCERPC endpoint server 'rpcecho' registered
> DCERPC endpoint server 'epmapper' registered
> DCERPC endpoint server 'remote' registered
> DCERPC endpoint server 'srvsvc' registered
> DCERPC endpoint server 'wkssvc' registered
> DCERPC endpoint server 'unixinfo' registered
> DCERPC endpoint server 'samr' registered
> DCERPC endpoint server 'winreg' registered
> DCERPC endpoint server 'netlogon' registered
> DCERPC endpoint server 'dssetup' registered
> DCERPC endpoint server 'lsarpc' registered
> DCERPC endpoint server 'backupkey' registered
> DCERPC endpoint server 'spoolss' registered
> DCERPC endpoint server 'drsuapi' registered
> DCERPC endpoint server 'browser' registered
> DCERPC endpoint server 'eventlog6' registered
> DCERPC endpoint server 'dnsserver' registered
> WARNING: no socket to connect to
> ldb_wrap open of secrets.ldb
> ldb_wrap open of idmap.ldb
> Calling DNS name update script
> Calling SPN name update script
> kccsrv_partition[DC=hh3,DC=site] loaded
> kccsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
> kccsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
> kccsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
> dreplsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
> dreplsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
> dreplsrv_partition[DC=hh3,DC=site] loaded
> dreplsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
> dreplsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
> kccsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
> Completed SPN update check OK
> Completed DNS update check OK
> Registered HH3<00> with 192.168.1.3 on interface 192.168.1.255
> Registered HH3<03> with 192.168.1.3 on interface 192.168.1.255
> Registered HH3<20> with 192.168.1.3 on interface 192.168.1.255
> Registered CACTUS<1b> with 192.168.1.3 on interface 192.168.1.255
> Registered CACTUS<1c> with 192.168.1.3 on interface 192.168.1.255
> Registered CACTUS<00> with 192.168.1.3 on interface 192.168.1.255
> 
> 
> And this works:
> 
>   kinit Administrator at HH3.SITE
> Password for Administrator at HH3.SITE:
> Warning: Your password will expire in 40 days on Tue Jan 31 23:40:57 2012
> 
> Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:39949 for
> krbtgt/HH3.SITE at HH3.SITE
> Kerberos: Client sent patypes: 149
> Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
> Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> Administrator at HH3.SITE
> Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:33899 for
> krbtgt/HH3.SITE at HH3.SITE
> Kerberos: Client sent patypes: encrypted-timestamp, 149
> Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
> Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
> Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at HH3.SITE
> using arcfour-hmac-md5
> Kerberos: AS-REQ authtime: 2011-12-22T22:19:54 starttime: unset endtime:
> 2011-12-23T08:19:54 renew till: 2011-12-23T22:19:47
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
> arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable-ok
> 
> Then this fails:
> 
>   wbinfo -u
> Error looking up domain users
> 
> Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
> ldb_wrap open of secrets.ldb
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:58803 for
> krbtgt/HH3.SITE at HH3.SITE
> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
> Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:49440 for
> krbtgt/HH3.SITE at HH3.SITE
> Kerberos: Client sent patypes: encrypted-timestamp
> Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
> Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
> Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE (enctype
> arcfour-hmac-md5) error Decrypt integrity check failed
> Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE
> Wrong username or password: kinit for HH3$@HH3.SITE failed
> (Preauthentication failed)
> 
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
> Terminating connection - 'NT_STATUS_END_OF_FILE'
> Terminating connection - 'NT_STATUS_END_OF_FILE'
> standard_terminate: reason[NT_STATUS_END_OF_FILE]
> Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
> 
> And this:
> 
>   wbinfo -i Administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user Administrator
> 
> ldb_wrap open of secrets.ldb
> using SPNEGO
> Selected protocol [8][NT LANMAN 1.0]
> Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:38518 for
> krbtgt/HH3.SITE at HH3.SITE
> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
> Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:53444 for
> krbtgt/HH3.SITE at HH3.SITE
> Kerberos: Client sent patypes: encrypted-timestamp
> Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
> Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
> Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE (enctype
> arcfour-hmac-md5) error Decrypt integrity check failed
> Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE
> Wrong username or password: kinit for HH3$@HH3.SITE failed
> (Preauthentication failed)
> 
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
> Terminating connection - 'NT_STATUS_END_OF_FILE'
> Terminating connection - 'NT_STATUS_END_OF_FILE'
> standard_terminate: reason[NT_STATUS_END_OF_FILE]
> Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
> 
> Any ideas anyone?
> Thanks
> Steve

which distro are you using?

Cheers, Günter


More information about the samba mailing list