Jet Wilda
2006-Mar-09 03:03 UTC
[Samba] Something Strange: All my Samba servers stopped working.
David A. Morrow wrote:>Hi all. I wonder if someone might be able to help with an issue whichhas recently begun plaguing >my network. All of my Linux machines are configured as domain member of a Windows 2000 Active Directory domain. Up until recently, all of these boxes were working correctly but all of a sudden, they have all stopped. All are Redhat Enterprise 3. All are using security=ads>Does anyone know if maybe a recent security patch has caused issueswith Samba? I have the same issue. In /var/log/samba/ there is log files with the ip of the machine trying to connect to the samba share and in that file is: [2006/03/08 09:21:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! It seems to be a kerberos issue, though it was working before so I'm not sure what changed or how to fix it. David did you ever figure this one out? Or does anyone else know how to fix this? Redhat ES 3 update 6 with: samba-common-3.0.9-1.3E.5 samba-3.0.9-1.3E.5 samba-client-3.0.9-1.3E.5 krbafs-devel-1.1.1-11 krbafs-1.1.1-11 krb5-devel-1.2.7-47 krbafs-utils-1.1.1-11 pam_krb5-1.77-1 krb5-libs-1.2.7-47 krb5-workstation-1.2.7-47 TIA Jet
Gerald (Jerry) Carter
2006-Mar-09 16:08 UTC
[Samba] Something Strange: All my Samba servers stopped working.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jet Wilda wrote:> I have the same issue. In /var/log/samba/ there is log files with the > ip of the machine trying to connect to the samba share and in that file > is: > > [2006/03/08 09:21:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > > It seems to be a kerberos issue, though it was working before so I'm not > sure what changed or how to fix it. > > David did you ever figure this one out? Or does anyone else know how to > fix this?Did someone upgrade your dc's to 2003 perhaps? The MIT krb 1.2 libs only share two DES enctypes with AD. Also there's the UDP vs. TCP issues when AS_REP replies won't fit in a single udp reply. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEEFKwIR7qMdg1EfYRAqDoAKDDD1Ox2vsyOKaMav9zy5iqGF37dgCfWfH+ 4JydhUUhKywf5LpFWB82N9Y=18o/ -----END PGP SIGNATURE-----
Jet Wilda
2006-Mar-10 00:49 UTC
[Samba] Something Strange: All my Samba servers stopped working.
> Gerald (Jerry) Carter wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jet Wilda wrote: > > > I have the same issue. In /var/log/samba/ there is log > files with the > > ip of the machine trying to connect to the samba share and in that > > file > > is: > > > > [2006/03/08 09:21:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > > Failed to verify incoming ticket! > > > > It seems to be a kerberos issue, though it was working > before so I'm > > not sure what changed or how to fix it. > > > > David did you ever figure this one out? Or does anyone > else know how > > to fix this? > > Did someone upgrade your dc's to 2003 perhaps? The MIT krb > 1.2 libs only share two DES enctypes with AD. Also there's > the UDP vs. TCP issues when AS_REP replies won't fit in a > single udp reply. > >Nope. Were still on 2000 for the DC's. It is strange because it is still working for some users. So some users can mount the samba share and the others can not. The ones that can't just keep getting asked for username and password and nothing works. Though they can mount the drives if they use the ip of the machine. As far as I know the only thing that I changed is that I updated the linux box, though there wasn't any samba updates. Here is the list of packages that were updated on Redhat ES 3 update 6: --------------------- up2date Begin ------------------------ Package Installed: ['kernel-2.4.21-37.0.1.EL', 'kernel-doc-2.4.21-37.0.1.EL', 'kernel-source-2.4.21-37.0.1.EL'] ['ImageMagick-5.5.6-18', 'ImageMagick-perl-5.5.6-18', 'cups-1.1.17-13.3.36', 'cups-libs-1.1.17-13.3.36', 'ethereal-0.10.14-1.EL3.1', 'ethereal-gnome-0.10.14-1.EL3.1', 'httpd-2.0.46-56.ent', 'httpd-devel-2.0.46-56.ent', 'mod_auth_pgsql-2.0.1-4.ent.1', 'mod_ssl-2.0.46-56.ent', 'mozilla-1.7.12-1.1.3.4', 'mozilla-chat-1.7.12-1.1.3.4', 'mozilla-dom-inspector-1.7.12-1.1.3.4', 'mozilla-js-debugger-1.7.12-1.1.3.4', 'mozilla-mail-1.7.12-1.1.3.4', 'mozilla-nspr-1.7.12-1.1.3.4', 'mozilla-nss-1.7.12-1.1.3.4', 'tar-1.13.25-14.RHEL3', 'tetex-1.0.7-67.9', 'tetex-afm-1.0.7-67.9', 'tetex-dvips-1.0.7-67.9', 'tetex-fonts-1.0.7-67.9', 'tetex-latex-1.0.7-67.9', 'tetex-xdvi-1.0.7-67.9'] Package Added To Profile: ['kernel-2.4.21-37.0.1.EL', 'kernel-doc-2.4.21-37.0.1.EL', 'kernel-source-2.4.21-37.0.1.EL'] ['ImageMagick-5.5.6-18', 'ImageMagick-perl-5.5.6-18', 'cups-1.1.17-13.3.36', 'cups-libs-1.1.17-13.3.36', 'ethereal-0.10.14-1.EL3.1', 'ethereal-gnome-0.10.14-1.EL3.1', 'httpd-2.0.46-56.ent', 'httpd-devel-2.0.46-56.ent', 'mod_auth_pgsql-2.0.1-4.ent.1', 'mod_ssl-2.0.46-56.ent', 'mozilla-1.7.12-1.1.3.4', 'mozilla-chat-1.7.12-1.1.3.4', 'mozilla-dom-inspector-1.7.12-1.1.3.4', 'mozilla-js-debugger-1.7.12-1.1.3.4', 'mozilla-mail-1.7.12-1.1.3.4', 'mozilla-nspr-1.7.12-1.1.3.4', 'mozilla-nss-1.7.12-1.1.3.4', 'tar-1.13.25-14.RHEL3', 'tetex-1.0.7-67.9', 'tetex-afm-1.0.7-67.9', 'tetex-dvips-1.0.7-67.9', 'tetex-fonts-1.0.7-67.9', 'tetex-latex-1.0.7-67.9', 'tetex-xdvi-1.0.7-67.9'] Package Removed From Profile: ['kernel-doc-2.4.21-37.EL', 'kernel-source-2.4.21-37.EL'] ['ImageMagick-5.5.6-15', 'ImageMagick-perl-5.5.6-15', 'cups-1.1.17-13.3.34', 'cups-libs-1.1.17-13.3.34', 'ethereal-0.10.13-1.EL3.1', 'ethereal-gnome-0.10.13-1.EL3.1', 'httpd-2.0.46-54.ent', 'httpd-devel-2.0.46-54.ent', 'mod_auth_pgsql-2.0.1-4.ent', 'mod_ssl-2.0.46-54.ent', 'mozilla-1.7.12-1.1.3.2', 'mozilla-chat-1.7.12-1.1.3.2', 'mozilla-dom-inspector-1.7.12-1.1.3.2', 'mozilla-js-debugger-1.7.12-1.1.3.2', 'mozilla-mail-1.7.12-1.1.3.2', 'mozilla-nspr-1.7.12-1.1.3.2', 'mozilla-nss-1.7.12-1.1.3.2', 'tar-1.13.25-13', 'tetex-1.0.7-67.7', 'tetex-afm-1.0.7-67.7', 'tetex-dvips-1.0.7-67.7', 'tetex-fonts-1.0.7-67.7', 'tetex-latex-1.0.7-67.7', 'tetex-xdvi-1.0.7-67.7'] **Unmatched Entries** Unable to import repomd support so repomd support will not be available Unable to import repomd support so repomd support will not be available Modifying bootloader config to include the new kernel info Adding 2.4.21-37.0.1.EL to bootloader config Adding 2.4.21-37.0.1.EL to bootloader config Installing the kernel via grub Running /sbin/grubby --default-kernel ---------------------- up2date End ------------------------- And here is the samba and kerberos versions I have: samba-common-3.0.9-1.3E.5 samba-3.0.9-1.3E.5 samba-client-3.0.9-1.3E.5 krbafs-devel-1.1.1-11 krbafs-1.1.1-11 krb5-devel-1.2.7-47 krbafs-utils-1.1.1-11 pam_krb5-1.77-1 krb5-libs-1.2.7-47 krb5-workstation-1.2.7-47 Jet