[Samba] samba authenticating users via kerberos failure
Christopher Chan
christopher.chan at bradbury.edu.hk
Sun Apr 1 22:45:07 MDT 2012
On Friday, March 30, 2012 05:40 PM, Christopher Chan wrote:
> When users try to access the samba server via \\shortname, they get a
> dialog prompting them for their username and password. Access via
> \\ip.addr does not exhibit that though.
>
> samba 3.5.13 + winbind + idmap_ldap backend
>
> Logs from samba during attempts to access via \\shortname:
>
> From log.clientip
> [2012/03/30 17:27:46.502131, 1]
> ../../../samba-3.5.13/source3/smbd/sesssetup.c:332()
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>
> From log.winbindd
> [2012/03/30 17:27:01.538840, 6]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
> accepted socket 21
> [2012/03/30 17:27:01.539159, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
> process_request: request fn INTERFACE_VERSION
> [2012/03/30 17:27:01.539244, 3]
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:352()
> [14121]: request interface version
> [2012/03/30 17:27:01.539382, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
> winbind_client_response_written[14121:INTERFACE_VERSION]: deliverd
> response to client
> [2012/03/30 17:27:01.539525, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
> process_request: request fn WINBINDD_PRIV_PIPE_DIR
> [2012/03/30 17:27:01.539595, 3]
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:385()
> [14121]: request location of privileged pipe
> [2012/03/30 17:27:01.539755, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
> winbind_client_response_written[14121:WINBINDD_PRIV_PIPE_DIR]:
> deliverd response to client
> [2012/03/30 17:27:01.540017, 6]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
> accepted socket 30
> [2012/03/30 17:27:01.540160, 6]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
> closing socket 21, client exited
> [2012/03/30 17:27:01.540332, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
> process_request: Handling async request 14121:GETGROUPS
> [2012/03/30 17:27:01.540408, 3]
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:60()
> getgroups root
> [2012/03/30 17:27:01.540646, 5]
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:187()
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.540733, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
> wb_request_done[14121:GETGROUPS]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.540866, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
> winbind_client_response_written[14121:GETGROUPS]: deliverd response
> to client
> [2012/03/30 17:27:01.541252, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
> process_request: Handling async request 14121:GETGROUPS
> [2012/03/30 17:27:01.541333, 3]
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:60()
> getgroups root
> [2012/03/30 17:27:01.541513, 5]
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:187()
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.541588, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
> wb_request_done[14121:GETGROUPS]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.541706, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
> winbind_client_response_written[14121:GETGROUPS]: deliverd response
> to client
> [2012/03/30 17:27:01.546385, 6]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
> closing socket 30, client exited
> [2012/03/30 17:27:10.089633, 6]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
> accepted socket 21
> [2012/03/30 17:27:10.089909, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
> process_request: request fn INTERFACE_VERSION
> [2012/03/30 17:27:10.089985, 3]
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:352()
> [14124]: request interface version
> [2012/03/30 17:27:10.090116, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
> winbind_client_response_written[14124:INTERFACE_VERSION]: deliverd
> response to client
> [2012/03/30 17:27:10.090248, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
> process_request: request fn WINBINDD_PRIV_PIPE_DIR
> [2012/03/30 17:27:10.090317, 3]
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:385()
> [14124]: request location of privileged pipe
> [2012/03/30 17:27:10.090474, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
> winbind_client_response_written[14124:WINBINDD_PRIV_PIPE_DIR]:
> deliverd response to client
> [2012/03/30 17:27:10.090775, 6]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
> accepted socket 30
> [2012/03/30 17:27:10.090910, 6]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
> closing socket 21, client exited
> [2012/03/30 17:27:10.091091, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
> process_request: Handling async request 14124:GETPWNAM
> [2012/03/30 17:27:10.091183, 3]
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:55()
> getpwnam mailnull
> [2012/03/30 17:27:10.091329, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd_cache.c:4805()
> Entry has timed out
> [2012/03/30 17:27:10.096324, 5]
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:138()
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.096456, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
> wb_request_done[14124:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.096618, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
> winbind_client_response_written[14124:GETPWNAM]: deliverd response
> to client
> [2012/03/30 17:27:10.096905, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
> process_request: Handling async request 14124:GETPWNAM
> [2012/03/30 17:27:10.096982, 3]
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:55()
> getpwnam sendmail
> [2012/03/30 17:27:10.097107, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd_cache.c:4800()
> Entry has wrong sequence number: 15036703
> [2012/03/30 17:27:10.100185, 5]
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:138()
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.100324, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
> wb_request_done[14124:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.100483, 10]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
> winbind_client_response_written[14124:GETPWNAM]: deliverd response
> to client
> [2012/03/30 17:27:10.115875, 6]
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
> closing socket 30, client exited
>
> From log.winbindd-dc
> [2012/03/30 17:27:39.657484, 0]
> ../../../samba-3.5.13/source3/lib/util_sock.c:1441()
> getpeername failed. Error was Transport endpoint is not connected
>
> Does anybody have any idea just what the problem is? It was working
> fine with version 3.5.5 until it maxxed out the gid range but
> upgrading to 3.5.13 has not fixed the problem even though 3.5.13 has a
> winbind bug fix that stops it from continually allocating new gids.
log level = 10
[2012/04/02 12:41:36.727903, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728153, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728301, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728401, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728534, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728638, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728772, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728907, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.729044, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.729178, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.729310, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.729445, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.729572, 3]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:267()
ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched
keytab principals
[2012/04/02 12:41:36.729750, 3]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:589()
ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
request)
[2012/04/02 12:41:36.729832, 10]
../../../samba-3.5.13/source3/libads/kerberos_verify.c:598()
ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
[2012/04/02 12:41:36.729994, 1]
../../../samba-3.5.13/source3/smbd/sesssetup.c:332()
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/04/02 12:41:36.730087, 3]
../../../samba-3.5.13/source3/smbd/error.c:80()
error packet at ../../../samba-3.5.13/source3/smbd/sesssetup.c(334)
cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
What does this mean? A configuration problem?
More information about the samba
mailing list