[Samba] Samba 4 Kerberos: Failed to decrypt PA-DATA

steve steve at steve-ss.com
Fri Dec 23 01:12:33 MST 2011


On 12/23/2011 06:34 AM, Günter Kukkukk wrote:
> On Thursday 22 December 2011 22:32:46 steve wrote:
>> Hi everyone
>>
>> After almost 2 days up-time with Samba 4, it failed again. This time it
>> simply will not restart.
>>
>> The krb5.conf had got corrupted. I replaced it with this one from
>> /usr/local/samba/private
>>
>> /etc/krb5.conf
>> [libdefaults]
>>       default_realm = HH3.SITE
>>       dns_lookup_realm = false
>>       dns_lookup_kdc = true
>>
>> It starts up OK:
>> samba -i -d 3
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> params.c:pm_process() - Processing configuration file
>> "/usr/local/samba/etc/smb.conf"
>> samba version 4.0.0alpha18-GIT-bfc7481 started.
>> Copyright Andrew Tridgell and the Samba Team 1992-2011
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'sasl-DIGEST-MD5' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> NTPTR backend 'simple_ldb'
>> NTVFS backend 'default' for type 1 registered
>> NTVFS backend 'posix' for type 1 registered
>> NTVFS backend 'unixuid' for type 1 registered
>> NTVFS backend 'unixuid' for type 3 registered
>> NTVFS backend 'unixuid' for type 2 registered
>> NTVFS backend 'cifs' for type 1 registered
>> NTVFS backend 'smb2' for type 1 registered
>> NTVFS backend 'simple' for type 1 registered
>> NTVFS backend 'cifsposix' for type 1 registered
>> NTVFS backend 'default' for type 3 registered
>> NTVFS backend 'default' for type 2 registered
>> NTVFS backend 'nbench' for type 1 registered
>> PROCESS_MODEL 'single' registered
>> PROCESS_MODEL 'standard' registered
>> PROCESS_MODEL 'onefork' registered
>> PROCESS_MODEL 'prefork' registered
>> AUTH backend 'sam' registered
>> AUTH backend 'sam_ignoredomain' registered
>> AUTH backend 'anonymous' registered
>> AUTH backend 'server' registered
>> AUTH backend 'winbind' registered
>> AUTH backend 'winbind_wbclient' registered
>> AUTH backend 'name_to_ntstatus' registered
>> AUTH backend 'fixed_challenge' registered
>> AUTH backend 'unix' registered
>> SHARE backend [classic] registered.
>> SHARE backend [ldb] registered.
>> ldb_wrap open of privilege.ldb
>> samba: using 'standard' process model
>> DCERPC endpoint server 'rpcecho' registered
>> DCERPC endpoint server 'epmapper' registered
>> DCERPC endpoint server 'remote' registered
>> DCERPC endpoint server 'srvsvc' registered
>> DCERPC endpoint server 'wkssvc' registered
>> DCERPC endpoint server 'unixinfo' registered
>> DCERPC endpoint server 'samr' registered
>> DCERPC endpoint server 'winreg' registered
>> DCERPC endpoint server 'netlogon' registered
>> DCERPC endpoint server 'dssetup' registered
>> DCERPC endpoint server 'lsarpc' registered
>> DCERPC endpoint server 'backupkey' registered
>> DCERPC endpoint server 'spoolss' registered
>> DCERPC endpoint server 'drsuapi' registered
>> DCERPC endpoint server 'browser' registered
>> DCERPC endpoint server 'eventlog6' registered
>> DCERPC endpoint server 'dnsserver' registered
>> WARNING: no socket to connect to
>> ldb_wrap open of secrets.ldb
>> ldb_wrap open of idmap.ldb
>> Calling DNS name update script
>> Calling SPN name update script
>> kccsrv_partition[DC=hh3,DC=site] loaded
>> kccsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
>> kccsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
>> kccsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
>> dreplsrv_partition[CN=Configuration,DC=hh3,DC=site] loaded
>> dreplsrv_partition[CN=Schema,CN=Configuration,DC=hh3,DC=site] loaded
>> dreplsrv_partition[DC=hh3,DC=site] loaded
>> dreplsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
>> dreplsrv_partition[DC=DomainDnsZones,DC=hh3,DC=site] loaded
>> kccsrv_partition[DC=ForestDnsZones,DC=hh3,DC=site] loaded
>> Completed SPN update check OK
>> Completed DNS update check OK
>> Registered HH3<00>  with 192.168.1.3 on interface 192.168.1.255
>> Registered HH3<03>  with 192.168.1.3 on interface 192.168.1.255
>> Registered HH3<20>  with 192.168.1.3 on interface 192.168.1.255
>> Registered CACTUS<1b>  with 192.168.1.3 on interface 192.168.1.255
>> Registered CACTUS<1c>  with 192.168.1.3 on interface 192.168.1.255
>> Registered CACTUS<00>  with 192.168.1.3 on interface 192.168.1.255
>>
>>
>> And this works:
>>
>>    kinit Administrator at HH3.SITE
>> Password for Administrator at HH3.SITE:
>> Warning: Your password will expire in 40 days on Tue Jan 31 23:40:57 2012
>>
>> Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:39949 for
>> krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: Client sent patypes: 149
>> Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
>> Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>> Administrator at HH3.SITE
>> Kerberos: AS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:33899 for
>> krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: Client sent patypes: encrypted-timestamp, 149
>> Kerberos: Looking for PKINIT pa-data -- Administrator at HH3.SITE
>> Kerberos: Looking for ENC-TS pa-data -- Administrator at HH3.SITE
>> Kerberos: ENC-TS Pre-authentication succeeded -- Administrator at HH3.SITE
>> using arcfour-hmac-md5
>> Kerberos: AS-REQ authtime: 2011-12-22T22:19:54 starttime: unset endtime:
>> 2011-12-23T08:19:54 renew till: 2011-12-23T22:19:47
>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
>> arcfour-hmac-md5/arcfour-hmac-md5
>> Kerberos: Requested flags: renewable-ok
>>
>> Then this fails:
>>
>>    wbinfo -u
>> Error looking up domain users
>>
>> Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
>> - NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
>> NT_STATUS_CONNECTION_DISCONNECTED]
>> ldb_wrap open of secrets.ldb
>> using SPNEGO
>> Selected protocol [8][NT LANMAN 1.0]
>> Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:58803 for
>> krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
>> Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:49440 for
>> krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: Client sent patypes: encrypted-timestamp
>> Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
>> Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
>> Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE (enctype
>> arcfour-hmac-md5) error Decrypt integrity check failed
>> Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE
>> Wrong username or password: kinit for HH3$@HH3.SITE failed
>> (Preauthentication failed)
>>
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
>> Terminating connection - 'NT_STATUS_END_OF_FILE'
>> Terminating connection - 'NT_STATUS_END_OF_FILE'
>> standard_terminate: reason[NT_STATUS_END_OF_FILE]
>> Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
>> - NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
>> NT_STATUS_CONNECTION_DISCONNECTED]
>>
>> And this:
>>
>>    wbinfo -i Administrator
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user Administrator
>>
>> ldb_wrap open of secrets.ldb
>> using SPNEGO
>> Selected protocol [8][NT LANMAN 1.0]
>> Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:38518 for
>> krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- HH3$@HH3.SITE
>> Kerberos: AS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:53444 for
>> krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: Client sent patypes: encrypted-timestamp
>> Kerberos: Looking for PKINIT pa-data -- HH3$@HH3.SITE
>> Kerberos: Looking for ENC-TS pa-data -- HH3$@HH3.SITE
>> Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE (enctype
>> arcfour-hmac-md5) error Decrypt integrity check failed
>> Kerberos: Failed to decrypt PA-DATA -- HH3$@HH3.SITE
>> Wrong username or password: kinit for HH3$@HH3.SITE failed
>> (Preauthentication failed)
>>
>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> Failed initial gensec_update with mechanism spnego: NT_STATUS_LOGON_FAILURE
>> Terminating connection - 'NT_STATUS_END_OF_FILE'
>> Terminating connection - 'NT_STATUS_END_OF_FILE'
>> standard_terminate: reason[NT_STATUS_END_OF_FILE]
>> Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
>> - NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
>> NT_STATUS_CONNECTION_DISCONNECTED]
>>
>> Any ideas anyone?
>> Thanks
>> Steve
> which distro are you using?
>
> Cheers, Günter
openSUSE 12.1 with this output (but same with Ubuntu 11.10 on the git 
from the day after this checkout).

Thanks
Steve


More information about the samba mailing list