Kevin P. Fleming
2004-Jan-01 04:33 UTC
[Samba] 3.0.0 -> 3.0.1 upgrade causes "Failed to verify incoming ticket!"
OK, I spent a bunch of time reviewing the mailing list from the last month, and I see where this was discussed quite a bit, but there was no conclusive resolution found (that I could find anyway). I have a simple network: one machine running W2K3 Standard Edition, with AD active and in W2K compatibility mode, one machine running Linux with Samba 3.0.0/3.0.1, a number of W2K and WXP Pro workstations. Samba is compiled against MIT Kerberos 1.3.1. There is no /etc/krb5.conf file at all (intentionally). I had no trouble using kinit to get a krb5 ticket from the KDC, nor did I have any trouble with "net ads join". The Samba server shows up in Active Directory, reporting itself properly. There is no WINS server at all (only DNS is used for host name resolution). "client use spnego" and "use spnego" are both set to "yes". "klist -e" shows the ticket obtained by kinit as "skey" DES-CBC-CRC and "tkt" RC4-HMAC-MD5. winbindd is running and libnss_winbind.so is in place and working properly; getent shows the AD users and groups with no problems. Time is synchronized between the machines (the Linux box is running ntpd, and the W2K3 box is using it as a time source). With Samba 3.0.0 everything is cool and I can access the shares, security works properly, etc. Upgrading to 3.0.1 (compiled using the identical configure command) causes the workstations (and the AD DC) to no longer be able to connect to Samba shares; any attempt results in a username/password dialog box popping up, and no entry in that box will work. The workstations can connect to the Samba server by using the IP address, though, just not using browsing or the server name directly. Looking at the Samba logs, "Failed to verify incoming ticket!" appears each time a workstation attempts to connect to a share when 3.0.1 is running. I have another problem to report against Samba, and I suspect it may have been fixed already in 3.0.1, but I can't use 3.0.1 without a resolution to this problem. Anyone have a suggestion?
Juer Lee
2004-Jan-04 01:56 UTC
[Samba] 3.0.0 -> 3.0.1 upgrade causes "Failed to verify incomingticket!"
I experience the same problems - Accessing share by IP address is OK, while failed to access the share by the host name. The only difference is that there are two DCs in the domain. Juer ----- Original Message ----- From: "Kevin P. Fleming" <kpfleming@backtobasicsmgmt.com> To: <samba@lists.samba.org> Sent: Thursday, January 01, 2004 12:32 PM Subject: [Samba] 3.0.0 -> 3.0.1 upgrade causes "Failed to verify incomingticket!"> OK, I spent a bunch of time reviewing the mailing list from the last > month, and I see where this was discussed quite a bit, but there was no > conclusive resolution found (that I could find anyway). > > I have a simple network: one machine running W2K3 Standard Edition, with > AD active and in W2K compatibility mode, one machine running Linux with > Samba 3.0.0/3.0.1, a number of W2K and WXP Pro workstations. > > Samba is compiled against MIT Kerberos 1.3.1. There is no /etc/krb5.conf > file at all (intentionally). I had no trouble using kinit to get a krb5 > ticket from the KDC, nor did I have any trouble with "net ads join". The > Samba server shows up in Active Directory, reporting itself properly. > There is no WINS server at all (only DNS is used for host name > resolution). "client use spnego" and "use spnego" are both set to "yes". > "klist -e" shows the ticket obtained by kinit as "skey" DES-CBC-CRC and > "tkt" RC4-HMAC-MD5. > > winbindd is running and libnss_winbind.so is in place and working > properly; getent shows the AD users and groups with no problems. Time is > synchronized between the machines (the Linux box is running ntpd, and > the W2K3 box is using it as a time source). > > With Samba 3.0.0 everything is cool and I can access the shares, > security works properly, etc. Upgrading to 3.0.1 (compiled using the > identical configure command) causes the workstations (and the AD DC) to > no longer be able to connect to Samba shares; any attempt results in a > username/password dialog box popping up, and no entry in that box will > work. The workstations can connect to the Samba server by using the IP > address, though, just not using browsing or the server name directly. > > Looking at the Samba logs, "Failed to verify incoming ticket!" appears > each time a workstation attempts to connect to a share when 3.0.1 is > running. > > I have another problem to report against Samba, and I suspect it may > have been fixed already in 3.0.1, but I can't use 3.0.1 without a > resolution to this problem. Anyone have a suggestion? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >