samba@fredsnet.org
2004-Oct-25 21:48 UTC
[Samba] -failed to verify ticket-, smb-3.0.7, mit krb5 1.3.1
Hi everyone, I've done a lot of reading on this issue over the last couple of days I had a "Red Hat Linux release 9 (Shrike)" box running 3.0.3a and the stock redhat krb5 package and it was authenticating against a w2k AD domain (over which I have very little control save for my little OU). things were working ok, but I wanted to update it to the new bug fixed versions. !!!!important!!! my AD environment was upgraded from w2k to w2k3 in the past 4 months. !!!!!!!!! I uninstalled samba and krb, then compiled from sources samba 3.0.7 and mit kerberos 1.3.5 had the issues desctibed below. I uninstalled them both. cleaned out the cache files, the tdb's etc. I installed the package from samba's ftp site, and the krb5 package that Jerry has in his ftp space. here's what I found.... I was able to join the domain, do all the wbinfo's do all the getent's do all the net ads *** and return valid data from the ADS. I am able to see the share from my "w2k pro sp4" box by using the samba server's fqdn, or ip address. if I don't use the fqdn or IP, I get the "failed to verify incoming ticket" in the log. now the interesting (I think) part. I can access the share from an XP pro box using the netbios name. where as with a fully patched 2kpro box, I have to use the fqdn or IP. Any thoughts??? here are my config files also check out the little snippets of log files there I get a different logfile name from my win2k box if I use the ip than I do if I use the netbios name of the server. #############smb.conf################# # Global parameters [global] workgroup = US realm = US.RAY.COM server string = Samba 3.02a Server interfaces = eth0 security = ADS auth methods = winbind password server = eadc-gc101.us.ray.com log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 5 preferred master = No local master = No domain master = No browse list = No enhanced browsing = No dns proxy = No wins server = 138.127.100.204 ldap ssl = no socket address idmap uid = 70000-200000 idmap gid = 70000-200000 winbind separator = + valid users = @"us+adc-rfc users",us+dussaulta admin users = @"us+adc-it admin" read list = @"us+adc-rfc users" write list =@"us+adc-site support" hosts allow = 138.127.100.0/255.255.252.0 map acl inherit = Yes [prod] comment = Production Elements path = /data/share/prod write list = @"us+adc-site support", @"us+adc-fab rf test" read only = No ######################################################### krb5.conf [libdefaults] dns_fallback = true ############################################## log.winbindd 2004/10/25 16:52:18, 1] nsswitch/winbindd.c:main(854) winbindd version 3.0.7 started. Copyright The Samba Team 2000-2004 [2004/10/25 16:52:18, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) [2004/10/25 17:04:47, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) [2004/10/25 17:30:13, 1] nsswitch/winbindd.c:main(854) winbindd version 3.0.7 started. Copyright The Samba Team 2000-2004 [2004/10/25 17:30:14, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) ################################################# If I connect using the fqdn I get this log.adc020601-069 <my machine's netbios name (w2kpro sp4 patched.) (-------------snip--------------------) [2004/10/25 16:54:17, 1] smbd/service.c:make_connection_snum(648) adc020601-069 (138.127.101.159) connect to service prod initially as user US+dussaulta (uid=0, gid=71750) (pid 16977) [2004/10/25 16:55:28, 1] smbd/service.c:close_cnum(837) adc020601-069 (138.127.101.159) closed connection to service prod [root@eadc-fs004 samba]# more log.adc020601-069 [2004/10/25 16:54:17, 1] smbd/service.c:make_connection_snum(648) adc020601-069 (138.127.101.159) connect to service prod initially as user US+dussaulta (uid=0, gid=71750) (pid 16977) [2004/10/25 16:55:28, 1] smbd/service.c:close_cnum(837) adc020601-069 (138.127.101.159) closed connection to service prod (--------------------snip----------------------) ######################################################## if I try to connect using the server's netbios name I get this log.138.127.101.159 my win2kpro sp4 box patched (--------------snip-------------) 2004/10/25 17:30:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/10/25 17:30:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/10/25 17:30:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/10/25 17:30:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/10/25 17:30:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! (-----------------snip---------------) #############################################
Apparently Analagous Threads
- xpsp2 clients authenticate, W2ksp4 clients must use IP or FQDN
- Getting errors while running Samba 3.0.7 with ADS security mode under MIT Kerberos
- Advanced server config question
- samba 3.0.2a domain member in Windows 2003 domain and MIT 1.3.2
- Samba 3.0.20b in ADS mode with MIT realm trust problems