[Samba] samba authenticating users via kerberos failure

Christopher Chan christopher.chan at bradbury.edu.hk
Sun Apr 1 22:45:07 MDT 2012


On Friday, March 30, 2012 05:40 PM, Christopher Chan wrote:
> When users try to access the samba server via \\shortname, they get a 
> dialog prompting them for their username and password. Access via 
> \\ip.addr does not exhibit that though.
>
> samba 3.5.13 + winbind + idmap_ldap backend
>
> Logs from samba during attempts to access via \\shortname:
>
> From log.clientip
> [2012/03/30 17:27:46.502131,  1] 
> ../../../samba-3.5.13/source3/smbd/sesssetup.c:332()
>   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>
> From log.winbindd
> [2012/03/30 17:27:01.538840,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
>   accepted socket 21
> [2012/03/30 17:27:01.539159, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
>   process_request: request fn INTERFACE_VERSION
> [2012/03/30 17:27:01.539244,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:352()
>   [14121]: request interface version
> [2012/03/30 17:27:01.539382, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14121:INTERFACE_VERSION]: deliverd 
> response to client
> [2012/03/30 17:27:01.539525, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
>   process_request: request fn WINBINDD_PRIV_PIPE_DIR
> [2012/03/30 17:27:01.539595,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:385()
>   [14121]: request location of privileged pipe
> [2012/03/30 17:27:01.539755, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14121:WINBINDD_PRIV_PIPE_DIR]: 
> deliverd response to client
> [2012/03/30 17:27:01.540017,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
>   accepted socket 30
> [2012/03/30 17:27:01.540160,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
>   closing socket 21, client exited
> [2012/03/30 17:27:01.540332, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
>   process_request: Handling async request 14121:GETGROUPS
> [2012/03/30 17:27:01.540408,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:60()
>   getgroups root
> [2012/03/30 17:27:01.540646,  5] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:187()
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.540733, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
>   wb_request_done[14121:GETGROUPS]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.540866, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14121:GETGROUPS]: deliverd response 
> to client
> [2012/03/30 17:27:01.541252, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
>   process_request: Handling async request 14121:GETGROUPS
> [2012/03/30 17:27:01.541333,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:60()
>   getgroups root
> [2012/03/30 17:27:01.541513,  5] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:187()
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.541588, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
>   wb_request_done[14121:GETGROUPS]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.541706, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14121:GETGROUPS]: deliverd response 
> to client
> [2012/03/30 17:27:01.546385,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
>   closing socket 30, client exited
> [2012/03/30 17:27:10.089633,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
>   accepted socket 21
> [2012/03/30 17:27:10.089909, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
>   process_request: request fn INTERFACE_VERSION
> [2012/03/30 17:27:10.089985,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:352()
>   [14124]: request interface version
> [2012/03/30 17:27:10.090116, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14124:INTERFACE_VERSION]: deliverd 
> response to client
> [2012/03/30 17:27:10.090248, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
>   process_request: request fn WINBINDD_PRIV_PIPE_DIR
> [2012/03/30 17:27:10.090317,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:385()
>   [14124]: request location of privileged pipe
> [2012/03/30 17:27:10.090474, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14124:WINBINDD_PRIV_PIPE_DIR]: 
> deliverd response to client
> [2012/03/30 17:27:10.090775,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
>   accepted socket 30
> [2012/03/30 17:27:10.090910,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
>   closing socket 21, client exited
> [2012/03/30 17:27:10.091091, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
>   process_request: Handling async request 14124:GETPWNAM
> [2012/03/30 17:27:10.091183,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:55()
>   getpwnam mailnull
> [2012/03/30 17:27:10.091329, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_cache.c:4805()
>   Entry has timed out
> [2012/03/30 17:27:10.096324,  5] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:138()
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.096456, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
>   wb_request_done[14124:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.096618, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14124:GETPWNAM]: deliverd response 
> to client
> [2012/03/30 17:27:10.096905, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
>   process_request: Handling async request 14124:GETPWNAM
> [2012/03/30 17:27:10.096982,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:55()
>   getpwnam sendmail
> [2012/03/30 17:27:10.097107, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_cache.c:4800()
>   Entry has wrong sequence number: 15036703
> [2012/03/30 17:27:10.100185,  5] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:138()
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.100324, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
>   wb_request_done[14124:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.100483, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14124:GETPWNAM]: deliverd response 
> to client
> [2012/03/30 17:27:10.115875,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
>   closing socket 30, client exited
>
> From log.winbindd-dc
> [2012/03/30 17:27:39.657484,  0] 
> ../../../samba-3.5.13/source3/lib/util_sock.c:1441()
>   getpeername failed. Error was Transport endpoint is not connected
>
> Does anybody have any idea just what the problem is? It was working 
> fine with version 3.5.5 until it maxxed out the gid range but 
> upgrading to 3.5.13 has not fixed the problem even though 3.5.13 has a 
> winbind bug fix that stops it from continually allocating new gids.

log level = 10

[2012/04/02 12:41:36.727903, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.728153, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.728301, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.728401, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.728534, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.728638, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.728772, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.728907, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729044, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729178, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729310, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729445, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729572,  3] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:267()
   ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched 
keytab principals
[2012/04/02 12:41:36.729750,  3] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:589()
   ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in 
request)
[2012/04/02 12:41:36.729832, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:598()
   ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
[2012/04/02 12:41:36.729994,  1] 
../../../samba-3.5.13/source3/smbd/sesssetup.c:332()
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/04/02 12:41:36.730087,  3] 
../../../samba-3.5.13/source3/smbd/error.c:80()
   error packet at ../../../samba-3.5.13/source3/smbd/sesssetup.c(334) 
cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

What does this mean? A configuration problem?


More information about the samba mailing list