[Samba] s3 connect to s4 ads woes, need guidance..

Aaron E. ssureshot at gmail.com
Fri May 4 09:54:21 MDT 2012


I would like to add that kinit works just fine also..

On 05/04/2012 11:51 AM, Aaron E. wrote:
> I'm beating my head up against the wall here.. Need some extra eyes!!!
>
> Setup -- Samba4 Domain Controller and samba3 print server.. DNS
> FlatFile,, All dns works..
>
> Issue, When I browse to the print Server vi \\IP-Address I am able to
> connect just fine.. When I browse using \\netbios-name I connect to the
> server but it opens up a username/pass dialog box and no name or
> passwords will work..
>
> wbinfo -g / -u work fine.. getent passwd/group works perfectly..
> I get the following snippet in the log file.. With smb.conf and
> krb5.conf following that..
>
>
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2012/05/04 11:45:29, 3]
> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2012/05/04 11:45:29, 3]
> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
> reply_spnego_negotiate: Got secblob of size 1619
> [2012/05/04 11:45:29, 3]
> libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
> error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2012/05/04 11:45:29, 3] smbd/process.c:1459(process_smb)
> Transaction 2 of length 1764 (0 toread)
> [2012/05/04 11:45:29, 3] smbd/process.c:1273(switch_message)
> switch message SMBsesssetupX (pid 14493) conn 0x0
> [2012/05/04 11:45:29, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
> wct=12 flg2=0xc807
> [2012/05/04 11:45:29, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2012/05/04 11:45:29, 3]
> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2012/05/04 11:45:29, 3]
> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
> reply_spnego_negotiate: Got secblob of size 1619
> [2012/05/04 11:45:29, 3]
> libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
> error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2012/05/04 11:45:29, 3] smbd/process.c:1459(process_smb)
> Transaction 3 of length 1764 (0 toread)
> [2012/05/04 11:45:29, 3] smbd/process.c:1273(switch_message)
> switch message SMBsesssetupX (pid 14493) conn 0x0
> [2012/05/04 11:45:29, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
> wct=12 flg2=0xc807
> [2012/05/04 11:45:29, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2012/05/04 11:45:29, 3]
> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2012/05/04 11:45:29, 3]
> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
> reply_spnego_negotiate: Got secblob of size 1619
> [2012/05/04 11:45:29, 3]
> libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
> error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
>
>
> SMB.CONF
> [global]
> workgroup = ASTROINTERNAL
> realm = ASTROINTERNAL.COM
> preferred master = no
> server string = Linux Test Machine
> security = ADS
> encrypt passwords = yes
> log level = 3
> log file = /var/log/samba/%m.log
> max log size = 50
> printcap name = cups
> printing = cups
> allow trusted domains = yes
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nested groups = Yes
> winbind separator = +
> #idmap backend = "ASTROINTERNAL=10000-19999"
> idmap uid = 1000-20000
> idmap gid = 1000-20000
> ;template primary group = "Domain Users"
> template shell = /bin/bash
>
> KRB5.CONF
> [libdefaults]
> default_realm = ASTROINTERNAL.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [realms]
> ASTROINTERNAL.COM = {
> kdc = astrodc1.astrointernal.com
> admin_server = astrodc1.astrointernal.com
> default_domain = astroshapes.com
> }
>
> [domain_realm]
> .astrointernal.com = ASTROINTERNAL.COM
> astrointernal.com = ASTROINTERNAL.COM
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>




More information about the samba mailing list