Hello. I'm having difficulty running kerberized samba on my Linux box in my Windows ADS domain. Specifically, smbclient -k //server/share fails with a "session setup failed: NT_STATUS_LOGON_FAILURE" error message. I ran smbd with -d 3 debugging verbosity, and the following came out on stdout/stderr. I marked the interesting lines with ***'s: # smbd -i -d 3 get_current_groups: user is in 16 groups: 0, 1, 2, 3, 4, 6, 10, 12, 7, 4, 9, 6, 5, 3, 2, 8 smbd version 3.0.7 started. Copyright Andrew Tridgell and the Samba Team 1992-2004 uid=0 gid=0 euid=0 egid=0 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" Processing section "[al]" adding IPC service adding IPC service added interface ip=10.50.195.251 bcast=10.50.199.255 nmask=255.255.248.0 loaded services Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED start_background_queue: Starting background LPQ thread waiting for a connection open_oplock_ipc: opening loopback UDP socket. Linux kernel oplocks enabled open_oplock ipc: pid = 7353, global_oplock_port = 32836 Transaction 0 of length 183 switch message SMBnegprot (pid 7353) conn 0x0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [MICROSOFT NETWORKS 3.0] Requested protocol [LANMAN1.0] Requested protocol [LM1.2X002] Requested protocol [DOS LANMAN2.1] Requested protocol [Samba] using SPNEGO Selected protocol NT LANMAN 1.0 Transaction 1 of length 2054 switch message SMBsesssetupX (pid 7353) conn 0x0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 wct=12 flg2=0xc801 Doing spnego session setup NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] Got OID 1 2 840 48018 1 2 2 Got OID 1 3 6 1 4 1 311 2 2 10 Got secblob of size 1914 *** ads_keytab_verify_ticket: krb5_kt_next_entry failed (Bad encryption type) *** ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed *** ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0) *** Failed to verify incoming ticket! *** error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE timeout_processing: End of file from client (client has disconnected). setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Closing connections Yielding connection to Server exit (normal exit) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Closing connections Yielding connection to yield_connection: tdb_delete for name failed with error Record does not exist. In case it will provide any hints, I will also provide the ticket cache on the machine running smbclient and the keytab contents on the machine with the share: [lnx251 samba]# klist -k -e Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/lnx251.company.com@NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/lnx251.company.com@NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/lnx251.company.com@NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 3 host/lnx251.company.com@NA.COMPANY.COM (ArcFour with HMAC/md5) 3 host/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with CRC-32) 3 host/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with RSA-MD5) 3 host/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with RSA-MD4) 3 cifs/lnx251.company.com@NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 cifs/lnx251.company.com@NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 cifs/lnx251.company.com@NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 3 cifs/lnx251.company.com@NA.COMPANY.COM (ArcFour with HMAC/md5) 3 cifs/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with CRC-32) 3 cifs/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with RSA-MD5) 3 cifs/lnx251.company.com@NA.COMPANY.COM (DES cbc mode with RSA-MD4) 3 host/lnx251@NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 host/lnx251@NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 host/lnx251@NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 3 host/lnx251@NA.COMPANY.COM (ArcFour with HMAC/md5) 3 host/lnx251@NA.COMPANY.COM (DES cbc mode with CRC-32) 3 host/lnx251@NA.COMPANY.COM (DES cbc mode with RSA-MD5) 3 host/lnx251@NA.COMPANY.COM (DES cbc mode with RSA-MD4) 3 cifs/lnx251@NA.COMPANY.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 cifs/lnx251@NA.COMPANY.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 cifs/lnx251@NA.COMPANY.COM (Triple DES cbc mode with HMAC/sha1) 3 cifs/lnx251@NA.COMPANY.COM (ArcFour with HMAC/md5) 3 cifs/lnx251@NA.COMPANY.COM (DES cbc mode with CRC-32) 3 cifs/lnx251@NA.COMPANY.COM (DES cbc mode with RSA-MD5) 3 cifs/lnx251@NA.COMPANY.COM (DES cbc mode with RSA-MD4) ------------------------------------------------------------ al@lnx135.company.com/home/al> klist -e Ticket cache: FILE:/tmp/krb5cc_6568_dIutT5 Default principal: al@NA.COMPANY.COM Valid starting Expires Service principal 10/26/04 23:18:14 10/27/04 09:18:14 krbtgt/NA.COMPANY.COM@NA.COMPANY.COM renew until 10/27/04 00:18:14, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 10/26/04 23:18:26 10/27/04 00:18:26 lnx251$@NA.COMPANY.COM renew until 10/27/04 00:18:14, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 Kerberos 4 ticket cache: /tmp/tkt6568 klist: You have no tickets cached ----------------------------------------- Finally, a few notes about my setup: o Linux boxen are NOT in DNS, but in hosts files/maps... FQDN first, then short hostnames o The machine with the share is a member of the domain, thanks to net ads join... I had to use Microsoft's setspn.exe to add service principal names, though, because when the machine joined the domain, the SPN's were host/lnx251.na.company.com instead of host/lnx251.company.com, etc. Afterwards, the keytab was populated with 'net ads keytab'. o samba-3.0.7 o krb5-workstation-1.3.4 o RedHat Enterprise Linux Workstation 3.0 on both machines o Windows Server 2003 as the ADS server If anyone has any suggestions or ideas that could help me, I would truly appreciate it. Also, if there's anything else I should provide, let me know. Thank you very much, Al -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm
Doug VanLeuven
2004-Oct-27 18:12 UTC
[Samba] Samba kerberos authentication issues with samba 3.0.7
>*** ads_keytab_verify_ticket: krb5_kt_next_entry failed (Bad encryption type) >*** ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed >*** ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0) >*** Failed to verify incoming ticket! >*** error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) [lnx251 >enctype 3 is DES_CBC_MD5 #define ENCTYPE_DES_CBC_MD5 0x0003 /* DES cbc mode with RSA-MD5 */>al@lnx135.company.com/home/al> klist -e >Ticket cache: FILE:/tmp/krb5cc_6568_dIutT5 >Default principal: al@NA.COMPANY.COM > >Valid starting Expires Service principal >10/26/04 23:18:14 10/27/04 09:18:14 krbtgt/NA.COMPANY.COM@NA.COMPANY.COM > renew until 10/27/04 00:18:14, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 >10/26/04 23:18:26 10/27/04 00:18:26 lnx251$@NA.COMPANY.COM > renew until 10/27/04 00:18:14, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 > >verified lnx251$ is using des-cbc-md5. There are some issues with using des-cbc-md5 where the DNSdomain is not the same as the REALM domain DNS. The salt used by MS will not be the same as the salt used on the linux box You need to get to rc4-hmac for authentication which doesn't use a salt. You probably have a userAccountControl defined like this: userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD |UF_USE_DES_KEY_ONLY ); Subtract 0x200000 (2097152 dec) from the field using adsiedit.msc. Then the MS KDC will use rc4-hmac instead of DES encryption. Make sure the KDC ticket cache is flushed of any reference to the DES ticket and try again. However, if you didn't add the UF_USE_DES_KEY_ONLY, then samba added it automatically because samba thinks you don't have rc4-hmac available. libads/ldap.c line 1392 svn 2929 #ifndef ENCTYPE_ARCFOUR_HMAC acct_control |= UF_USE_DES_KEY_ONLY; #endif So the compiled version of samba you have would have been compiled against a version of kerberos that didn't have rc4-hmac available. No way out of that except to recompile samba against your current kerberos or get a different pre-compiled binary.>o Linux boxen are NOT in DNS, but in hosts files/maps... FQDN first, then short hostnames >o The machine with the share is a member of the domain, thanks to net ads join... I had to use Microsoft's setspn.exe to add service principal names, though, because when the machine joined the domain, the SPN's were host/lnx251.na.company.com instead of host/lnx251.company.com, etc. Afterwards, the keytab was populated with 'net ads keytab'. >For the instance of DNSdomain != REALM, I have to add the SPN for host/fqdn like you did. I also had to add a DNS record for lnx251.na.company.com for the MS KDC as well as the lnx251.company.com for the linux box forward and reverse lookups. Never tried it with hosts files. But c:\winnt\system32\drivers\etc\hosts would need the lnx251.na.company.com Regards, Doug
Apparently Analagous Threads
- Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- Domain trust and browsing users and groups problem
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH