[Samba] One of our users cannot connect to Samba-shares

Masopust, Christian christian.masopust at siemens.com
Mon Apr 22 09:30:41 MDT 2013 

Hi all,

we here have a user that got a new Windows 7 client (before he had Windows XP) and now is no longer able
to connect to our Samba shares. Testing his client with another account has proven that the client is not the
problem, other user can connect. Also testing the user on another (Windows 7) client gave the result that the
user is not allowed to access.

Running Samba with different log levels (up to 99 :)) first show only a simple

"[2013/04/22 13:10:18.503496,  1, pid=13437, effective(0, 0), real(0, 0)] smbd/sesssetup.c:332(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!"

Increasing the debug level then gave:

....
[2013/04/22 14:18:28.769410, 10, pid=23552, effective(0, 0), real(0, 0)] smbd/sesssetup.c:1150(check_spnego_blob_complete)
  check_spnego_blob_complete: needed_len = 21149, pblob->length = 16460
[2013/04/22 14:18:28.769454,  3, pid=23552, effective(0, 0), real(0, 0)] smbd/error.c:80(error_packet_set)
  error packet at smbd/sesssetup.c(1317) cmd=115 (SMBsesssetupX) NT_STATUS_MORE_PROCESSING_REQUIRED
.....
[2013/04/22 14:18:28.800264, 10, pid=23552, effective(0, 0), real(0, 0)] smbd/sesssetup.c:1053(check_spnego_blob_complete)
  check_spnego_blob_complete: pad->partial_data.length = 16460, pad->needed_len = 4689, copy_len = 16460, pblob->length = 16460,
.....
[2013/04/22 14:18:28.800603,  3, pid=23552, effective(0, 0), real(0, 0)] smbd/sesssetup.c:806(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 21071
[2013/04/22 14:18:28.801778,  3, pid=23552, effective(0, 0), real(0, 0)] libads/kerberos_verify.c:391(ads_secrets_verify_ticket)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error ASN.1 structure is missing a required field
[2013/04/22 14:18:28.801969,  3, pid=23552, effective(0, 0), real(0, 0)] libads/kerberos_verify.c:391(ads_secrets_verify_ticket)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error ASN.1 structure is missing a required field
[2013/04/22 14:18:28.802129,  3, pid=23552, effective(0, 0), real(0, 0)] libads/kerberos_verify.c:391(ads_secrets_verify_ticket)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error ASN.1 structure is missing a required field
[2013/04/22 14:18:28.802179,  3, pid=23552, effective(0, 0), real(0, 0)] libads/kerberos_verify.c:589(ads_verify_ticket)
  ads_verify_ticket: krb5_rd_req with auth failed (ASN.1 structure is missing a required field)
[2013/04/22 14:18:28.802221, 10, pid=23552, effective(0, 0), real(0, 0)] libads/kerberos_verify.c:598(ads_verify_ticket)
  ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
[2013/04/22 14:18:28.802284,  1, pid=23552, effective(0, 0), real(0, 0)] smbd/sesssetup.c:332(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

So.... where is the problem with this special user?   Why is it's "spnego-information" that large (21149 bytes!!) ?

Any idea what we can do further?      (our problem is that we have very restricted access to the active directory...)

Thanks a lot,
Christian

More information about the samba mailing list