[Samba] gss_accept_sec_context failed with [ Miscellaneous failure (see text): Decrypt integrity check failed]

Noël Köthe noel.koethe at credativ.de
Tue Aug 7 11:11:32 UTC 2018 

Hello,

my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9)
connected to an AD with one Windows DC and one Samba DC get every 10
seconds the following error:

[2018/08/07 12:52:15.351515,  1] ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
  gss_accept_sec_context failed with [ Miscellaneous failure (see text): Decrypt integrity check failed]
[2018/08/07 12:52:15.351565,  1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
  SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2018/08/07 12:52:15.351609,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_LOGON_FAILURE

Maybe somebody could give me a hint what is broken here and how to fix it.
I tried to fix it with a rejoin to the AD but didn't helped.

The configuration:

/etc/krb5.conf
[libdefaults]
        default_realm = MYDOMAIN.DE

        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        forwardable = yes

/etc/samba/smb.conf
[global]
   netbios name = SERVER
   workgroup = MYDOMAIN
   security = ADS
   realm = MYDOMAIN.DE

   log level = 2 smb:4 winbind:4

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config MYDOMAIN:backend = ad
   idmap config MYDOMAIN:schema_mode = rfc2307
   idmap config MYDOMAIN:range = 500-40000
   idmap_ldb use:rfc2307 = Yes
   winbind nss info = rfc2307
   winbind use default domain = yes
   winbind max clients = 300
   winbind refresh tickets = Yes
   template homedir = /srv/samba/users/%U
   template shell = /bin/bash
#   username map = /etc/samba/smbusermap

   wins server = 10.1.1.72
   dns proxy = yes

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   server min protocol = SMB2

[homes]
   comment = Home Directories
   browseable = yes
...
only more shares follow

Thank you!

-- 
Have a nice day

        Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/5225b901/signature.sig>

More information about the samba mailing list