samba - Nov 2003 - Client accessing Samba doesn't authenticate against Active Directory

When a Windows client attempts to browse shares on a Samba 3.0 server
authenticating against a Windows 2003 Active Directory domain, it
requests credentials. Typing in user name and password fails.
Basically, I can't see even see the shares.

If I give username/password for a user in smbpasswd, then I can browse
the Samba server.

Configuration info:

ADS server: LICENSE
ADS server IP: 192.168.254.201
ADS domain/realm: 3KINGSINC.LOCAL
Windows Server 2003

Samba server: DATASERVER
Samba server IP: 192.168.254.250
RedHat Linux 9, Samba 3.0.0, krb5 1.3.1
successfully joined this to ADS domain

Client:	TS
Client IP: 192.168.254.202
Windows Server 2003
is a member server in ADS domain

-----
Output of wbinfo -t:
checking the trust secret via RPC calls failed
error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
Could not check secret

-----
Output of klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@3KINGSINC.LOCAL
 
Valid starting     Expires            Service principal
11/12/03 14:18:01  11/13/03 00:18:05
krbtgt/3KINGSINC.LOCAL@3KINGSINC.LOCAL
        renew until 11/13/03 14:18:01
 
 
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

-----
Output of kinit administrator@3KINGSINC.LOCAL
Password for administrator@3KINGSINC.LOCAL:<passwd>
[root@dataserver samba]#

-----
Output of kadmin:
Authenticating as principal administrator/admin@3KINGSINC.LOCAL with
password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface

-----
Output of kadmin -p ADMINISTRATOR@3KINGSINC.LOCAL:
Authenticating as principal ADMINISTRATOR@3KINGSINC.LOCAL with
password.
Password for ADMINISTRATOR@3KINGSINC.LOCAL:<passwd>
kadmin: Database error! Required KADM5 principal missing while
initializing kadmin interface

-----
Output of smbclient -L license -U Administrator
Password:<passwd>
 
        Sharename      Type      Comment
        ---------      ----      -------
        E$             Disk      Default share
        IPC$           IPC       Remote IPC
        NETLOGON       Disk      Logon server share
        ADMIN$         Disk      Remote Admin
        SYSVOL         Disk      Logon server share
        C$             Disk      Default share
 
        Server               Comment
        ---------            -------
        DATASERVER           File Storage (BG Samba Server)
        LICENSE
        TS
 
        Workgroup            Master
        ---------            -------
        3 KINGS              3-I1FQNAK3OL85P
        3KINGSINC            LICENSE

-----
Output of smbclient -L dataserver -U Administrator
Password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

-----
Output of smbclient -k -L license -UAdministrator@3KINGS.LOCAL
[2003/11/12 16:03:45, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!

-----
Interesting lines of /var/log/samba/log.192.168.254.202:

[2003/11/12 14:00:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
     (message is repeated twice)

-----
Interesting lines of /var/log/samba/log.winbindd:
[2003/11/12 15:54:55, 1] libsmb/smb_signing.c:signing_good(227)
  signing_good: SMB signature check failed on seq 1!
[2003/11/12 15:54:55, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!

-----
Interesting lines of /var/log/messages:
Nov 12 15:52:43 dataserver winbindd[21960]: [2003/11/12 15:52:43, 0]
libsmb/clientgen.c:cli_receive_smb(121)
Nov 12 15:52:43 dataserver winbindd[21960]:   SMB Signature
verification failed on incoming packet!

-----
Content of smb.conf:
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2003/11/12 14:18:40
                                                                                
# Global parameters
[global]
        workgroup = 3KINGSINC
        realm = 3KINGSINC.LOCAL
        server string = File Storage (BG Samba Server)
        security = ADS
        password server = license.3kingsinc.local
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/sbin/useradd -d/home/%D/%U %u
        delete user script = /usr/sbin/userdel -r %u
        add group script = /usr/sbin/groupadd %g
        delete group script = /usr/sbin/groupdel %g
        dns proxy = No
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind use default domain = Yes
                                                                                
[homes]
        comment = Home Directories
        read only = No
        browseable = No
                                                                                
[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No
                                                                                
-----
Interesting lines of nsswitch.conf:
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns wins
                                                                                
-----
Content of krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
                                                                                
[libdefaults]
 ticket_lifetime = 24000
 default_realm = 3KINGSINC.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 3KINGSINC.LOCAL = {
  kdc = license.3kingsinc.local:88
  admin_server = license.3kingsinc.local:749
  default_domain = 3KINGSINC.LOCAL
 }
                                                                                
[domain_realm]
 .3kingsinc.local = 3KINGSINC.LOCAL
 3kingsinc.local = 3KINGSINC.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
                                                                                
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
                                                                                
-----

--Jon

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan Johnson wrote:
| When a Windows client attempts to browse shares on a Samba 3.0 server
| authenticating against a Windows 2003 Active Directory domain, it
| requests credentials. Typing in user name and password fails

Looks like you don't have the MIT krb5 1.3.1 libs or the
latest version of Heimdal (don't remembe which version
you need...cvs development snapshot maybe).

| Output of smbclient -k -L license -UAdministrator@3KINGS.LOCAL
| [2003/11/12 16:03:45, 0] libsmb/clientgen.c:cli_receive_smb(121)
|   SMB Signature verification failed on incoming packet!
| session setup failed: Server packet had invalid SMB signature!
...
| -----
| Interesting lines of /var/log/samba/log.192.168.254.202:
|
| [2003/11/12 14:00:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
|   Failed to verify incoming ticket!
|      (message is repeated twice)
|


cheers, jerry
- --
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "If we're adding to the noise, turn off this song" --Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/s7YNIR7qMdg1EfYRAre8AJ4tW64CC2OTjxDD/zaU7k+HFcPungCfdZmC
RLnMHyR095uIzJ48yg5EQ2Y=4M/D
-----END PGP SIGNATURE-----