samba - Jun 2003 - My Samba 3.0beta1 stopped working as ADS member

I had a working Samba 3.0beta1 as ADS member of a W2003 server.
My w2000 client could log in to the W2003 server and use services on
Samba (home directory).

Winbind is working.

So I tried to re-do all my work again.

And suddenly the w2k can use any services on Samba anymore.

The output from the logfile tells me it's kerberos problem:
[2003/06/18 08:35:03, 3] libads/kerberos_verify.c:(126)
  krb5_rd_req with auth failed (Bad encryption type)
[2003/06/18 08:35:03, 1] smbd/sesssetup.c:(175)
  Failed to verify incoming ticket!
[2003/06/18 08:35:03, 3] smbd/error.c:(94)
  error string = No such file or directory

Winbind/wbinfo works as it should.

I know what problem it is, but not WHY and not HOW to fix it ?

/Patrik

-- 
"In a world without fences who needs Gates"
Patrik Gustavsson, Senior Technical Consultant
patrik.gustavsson@sun.com     Telephone: +46 60 671540
http://glen.sweden            Mobile: +46 70 3551040
SUN MICROSYSTEMS              Fax: +46 60 671550
--------------------------------------------------------------

On Wed, 2003-06-18 at 16:44, Patrik Gustavsson PS Sweden Senior
Technical Consultant wrote:
> 
> I had a working Samba 3.0beta1 as ADS member of a W2003 server.
> My w2000 client could log in to the W2003 server and use services on
> Samba (home directory).
> 
> Winbind is working.
> 
> So I tried to re-do all my work again.
> 
> And suddenly the w2k can use any services on Samba anymore.
> 
> The output from the logfile tells me it's kerberos problem:
> [2003/06/18 08:35:03, 3] libads/kerberos_verify.c:(126)
>   krb5_rd_req with auth failed (Bad encryption type)
> [2003/06/18 08:35:03, 1] smbd/sesssetup.c:(175)
>   Failed to verify incoming ticket!
> [2003/06/18 08:35:03, 3] smbd/error.c:(94)
>   error string = No such file or directory
> 
> Winbind/wbinfo works as it should.
> 
> I know what problem it is, but not WHY and not HOW to fix it ?
The user you are using has not had their password changed since Win2k
installation/AD upgrade.   This means that they only have their 'type
23' encryption type - the type that is based on the NT4 password.

If you change the password, it should work.  The proper solution is to
compile with MIT Krb5 1.3, or a recent Heimdal kerberos.  These versions
support the new encryption type, and should allow it to work out of the
box.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030618/9c84e1f5/attachment.bin