[Samba] s3 connect to s4 ads woes, need guidance..
Aaron E.
ssureshot at gmail.com
Fri May 4 14:17:03 MDT 2012
I found the issue was with kerberos,, I compiled from source kerberos
and linked s3 to it .. set everythying up and it works .. (found this
resolution through google.. )
I assume that I'll have to do this since ubuntu doesn't update their
packages .. lts my arse!! Might be time to switch server distros as I
run across this more and more as time goes on..
On 05/04/2012 11:54 AM, Aaron E. wrote:
> I would like to add that kinit works just fine also..
>
> On 05/04/2012 11:51 AM, Aaron E. wrote:
>> I'm beating my head up against the wall here.. Need some extra eyes!!!
>>
>> Setup -- Samba4 Domain Controller and samba3 print server.. DNS
>> FlatFile,, All dns works..
>>
>> Issue, When I browse to the print Server vi \\IP-Address I am able to
>> connect just fine.. When I browse using \\netbios-name I connect to the
>> server but it opens up a username/pass dialog box and no name or
>> passwords will work..
>>
>> wbinfo -g / -u work fine.. getent passwd/group works perfectly..
>> I get the following snippet in the log file.. With smb.conf and
>> krb5.conf following that..
>>
>>
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2012/05/04 11:45:29, 3]
>> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
>> Doing spnego session setup
>> [2012/05/04 11:45:29, 3]
>> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
>> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
>> reply_spnego_negotiate: Got secblob of size 1619
>> [2012/05/04 11:45:29, 3]
>> libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
>> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
>> Decrypt integrity check failed
>> [2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>> [2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> [2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
>> error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
>> NT_STATUS_LOGON_FAILURE
>> [2012/05/04 11:45:29, 3] smbd/process.c:1459(process_smb)
>> Transaction 2 of length 1764 (0 toread)
>> [2012/05/04 11:45:29, 3] smbd/process.c:1273(switch_message)
>> switch message SMBsesssetupX (pid 14493) conn 0x0
>> [2012/05/04 11:45:29, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
>> wct=12 flg2=0xc807
>> [2012/05/04 11:45:29, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2012/05/04 11:45:29, 3]
>> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
>> Doing spnego session setup
>> [2012/05/04 11:45:29, 3]
>> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
>> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
>> reply_spnego_negotiate: Got secblob of size 1619
>> [2012/05/04 11:45:29, 3]
>> libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
>> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
>> Decrypt integrity check failed
>> [2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>> [2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> [2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
>> error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
>> NT_STATUS_LOGON_FAILURE
>> [2012/05/04 11:45:29, 3] smbd/process.c:1459(process_smb)
>> Transaction 3 of length 1764 (0 toread)
>> [2012/05/04 11:45:29, 3] smbd/process.c:1273(switch_message)
>> switch message SMBsesssetupX (pid 14493) conn 0x0
>> [2012/05/04 11:45:29, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
>> wct=12 flg2=0xc807
>> [2012/05/04 11:45:29, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2012/05/04 11:45:29, 3]
>> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
>> Doing spnego session setup
>> [2012/05/04 11:45:29, 3]
>> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
>> [2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
>> reply_spnego_negotiate: Got secblob of size 1619
>> [2012/05/04 11:45:29, 3]
>> libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
>> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
>> Decrypt integrity check failed
>> [2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>> [2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> [2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
>> error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
>> NT_STATUS_LOGON_FAILURE
>>
>>
>> SMB.CONF
>> [global]
>> workgroup = ASTROINTERNAL
>> realm = ASTROINTERNAL.COM
>> preferred master = no
>> server string = Linux Test Machine
>> security = ADS
>> encrypt passwords = yes
>> log level = 3
>> log file = /var/log/samba/%m.log
>> max log size = 50
>> printcap name = cups
>> printing = cups
>> allow trusted domains = yes
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind nested groups = Yes
>> winbind separator = +
>> #idmap backend = "ASTROINTERNAL=10000-19999"
>> idmap uid = 1000-20000
>> idmap gid = 1000-20000
>> ;template primary group = "Domain Users"
>> template shell = /bin/bash
>>
>> KRB5.CONF
>> [libdefaults]
>> default_realm = ASTROINTERNAL.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [realms]
>> ASTROINTERNAL.COM = {
>> kdc = astrodc1.astrointernal.com
>> admin_server = astrodc1.astrointernal.com
>> default_domain = astroshapes.com
>> }
>>
>> [domain_realm]
>> .astrointernal.com = ASTROINTERNAL.COM
>> astrointernal.com = ASTROINTERNAL.COM
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>
>
More information about the samba
mailing list