[Samba] s3 connect to s4 ads woes, need guidance..

Aaron E. ssureshot at gmail.com
Fri May 4 09:51:43 MDT 2012


I'm beating my head up against the wall here.. Need some extra eyes!!!

Setup -- Samba4 Domain Controller and samba3 print server.. DNS 
FlatFile,, All dns works..

Issue, When I browse to the print Server vi \\IP-Address I am able to 
connect just fine.. When I browse using \\netbios-name I connect to the 
server but it opens up a username/pass dialog box and no name or 
passwords will work..

wbinfo  -g / -u work fine.. getent passwd/group works perfectly..
I get the following snippet in the log file.. With smb.conf and 
krb5.conf following that..


   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2012/05/04 11:45:29,  3] 
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
   Doing spnego session setup
[2012/05/04 11:45:29,  3] 
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
   NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:786(reply_spnego_negotiate)
   reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29,  3] 
libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
   ads_secrets_verify_ticket: enc type [23] failed to decrypt with error 
Decrypt integrity check failed
[2012/05/04 11:45:29,  3] libads/kerberos_verify.c:568(ads_verify_ticket)
   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29,  3] smbd/error.c:60(error_packet_set)
   error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2012/05/04 11:45:29,  3] smbd/process.c:1459(process_smb)
   Transaction 2 of length 1764 (0 toread)
[2012/05/04 11:45:29,  3] smbd/process.c:1273(switch_message)
   switch message SMBsesssetupX (pid 14493) conn 0x0
[2012/05/04 11:45:29,  3] smbd/sec_ctx.c:310(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
   wct=12 flg2=0xc807
[2012/05/04 11:45:29,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2012/05/04 11:45:29,  3] 
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
   Doing spnego session setup
[2012/05/04 11:45:29,  3] 
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
   NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:786(reply_spnego_negotiate)
   reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29,  3] 
libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
   ads_secrets_verify_ticket: enc type [23] failed to decrypt with error 
Decrypt integrity check failed
[2012/05/04 11:45:29,  3] libads/kerberos_verify.c:568(ads_verify_ticket)
   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29,  3] smbd/error.c:60(error_packet_set)
   error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2012/05/04 11:45:29,  3] smbd/process.c:1459(process_smb)
   Transaction 3 of length 1764 (0 toread)
[2012/05/04 11:45:29,  3] smbd/process.c:1273(switch_message)
   switch message SMBsesssetupX (pid 14493) conn 0x0
[2012/05/04 11:45:29,  3] smbd/sec_ctx.c:310(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
   wct=12 flg2=0xc807
[2012/05/04 11:45:29,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2012/05/04 11:45:29,  3] 
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
   Doing spnego session setup
[2012/05/04 11:45:29,  3] 
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
   NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:786(reply_spnego_negotiate)
   reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29,  3] 
libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
   ads_secrets_verify_ticket: enc type [23] failed to decrypt with error 
Decrypt integrity check failed
[2012/05/04 11:45:29,  3] libads/kerberos_verify.c:568(ads_verify_ticket)
   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29,  3] smbd/error.c:60(error_packet_set)
   error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE


SMB.CONF
[global]
    workgroup = ASTROINTERNAL
    realm = ASTROINTERNAL.COM
    preferred master = no
    server string = Linux Test Machine
    security = ADS
    encrypt passwords = yes
    log level = 3
    log file = /var/log/samba/%m.log
    max log size = 50
    printcap name = cups
    printing = cups
    allow trusted domains = yes
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nested groups = Yes
    winbind separator = +
    #idmap backend = "ASTROINTERNAL=10000-19999"
    idmap uid = 1000-20000
    idmap gid = 1000-20000
    ;template primary group = "Domain Users"
    template shell = /bin/bash

KRB5.CONF
[libdefaults]
         default_realm = ASTROINTERNAL.COM
         dns_lookup_realm = false
         dns_lookup_kdc = false
         ticket_lifetime = 24h
         forwardable = yes

[logging]
         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log

[realms]
         ASTROINTERNAL.COM = {
         kdc = astrodc1.astrointernal.com
         admin_server = astrodc1.astrointernal.com
         default_domain = astroshapes.com
         }

[domain_realm]
         .astrointernal.com = ASTROINTERNAL.COM
         astrointernal.com = ASTROINTERNAL.COM

[appdefaults]
pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
}



More information about the samba mailing list