Samba refusing connection after machine account password change
Dave Daugherty
dave.daugherty at centrify.com
Thu Mar 24 10:52:14 MDT 2011
We too are currently investigating perhaps the same issue.
So far our theory is that ads_keytab_verify_ticket does not always find previous kvno password hashes
Did you try flushing the Kerberos tickets on the client side to see if it clears up the problem? If it's a windows client you can use
Klist.exe or kerbtray.exe or logout and log back on. If it's a Unix client use kdestroy to flush tickets
You can dump your keytab file using klist -kte to see what password hashes currently exist.
Regards
Dave Daugherty
Centrify
-----Original Message-----
From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of jinyunshuai
Sent: Wednesday, March 23, 2011 11:40 PM
To: abartlet at samba.org; samba-technical at samba.org
Subject: Samba refusing connection after machine account password change
Hi all,
Description:
Samba share is refusing a connection after the machine password has been changed.
log.smbd:
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(sol10-build$@ASMB.TEST) failed: Wrong principal in request
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build.asmb.test at ASMB.TEST) failed: Bad encryption type
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_keytab_verify_ticket(139)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(cifs/sol10-build at ASMB.TEST) failed: Wrong principal in request
[2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(185)
ads_keytab_verify_ticket: krb5_rd_req failed for all 160 matched keytab principals
[2011/03/23 17:41:18, 3] libads/kerberos_verify.c:ads_verify_ticket(477)
ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
[2011/03/23 17:41:18, 10] libads/kerberos_verify.c:ads_verify_ticket(486)
ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
[2011/03/23 17:41:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2011/03/23 17:41:18, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
I have already set following options:
use kerberos keytab = Yes
Can somebody tell me how to make samba work well after machine account password change?
thanks in advance.
More information about the samba-technical
mailing list