Noël Köthe
2018-Aug-07 11:11 UTC
[Samba] gss_accept_sec_context failed with [ Miscellaneous failure (see text): Decrypt integrity check failed]
Hello, my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9) connected to an AD with one Windows DC and one Samba DC get every 10 seconds the following error: [2018/08/07 12:52:15.351515, 1] ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Decrypt integrity check failed] [2018/08/07 12:52:15.351565, 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2018/08/07 12:52:15.351609, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOGON_FAILURE Maybe somebody could give me a hint what is broken here and how to fix it. I tried to fix it with a rejoin to the AD but didn't helped. The configuration: /etc/krb5.conf [libdefaults] default_realm = MYDOMAIN.DE dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes /etc/samba/smb.conf [global] netbios name = SERVER workgroup = MYDOMAIN security = ADS realm = MYDOMAIN.DE log level = 2 smb:4 winbind:4 idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 500-40000 idmap_ldb use:rfc2307 = Yes winbind nss info = rfc2307 winbind use default domain = yes winbind max clients = 300 winbind refresh tickets = Yes template homedir = /srv/samba/users/%U template shell = /bin/bash # username map = /etc/samba/smbusermap wins server = 10.1.1.72 dns proxy = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server min protocol = SMB2 [homes] comment = Home Directories browseable = yes ... only more shares follow Thank you! -- Have a nice day Noël Köthe -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/5225b901/signature.sig>
Maybe Matching Threads
- samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
- samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
- Samba 4 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed
- 6310540 6290437 causes gss_accept_sec_context not to output ret_flags whn no deleg cred; breaks ssh
- samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]