samba - Mar 2004 - Kerberos authentication problems

I appear to be having a problem with samba using kerberos to
authenticate to a win2k pdc. 

Background: Windows 2kSP4 PDC. WhiteBox Enterprise Linux 3 running
2.4.21-4.ELsmp on x86. 
samba 3.0.2-6.3E.i386 from the distribution's rpm.  
krb5-1.3.1

I can successfully use "net ads join" and see the computer appear in
Active Directory. 
I can use kinit to authenticate via kerberos, and can browse windows
shares via smbclient -k. 

When I try and connect from a windows machine, I am continuously
prompted for authentication, which never succeeds. 
my samba log reveals the following: 
[2004/03/24 11:43:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

when trying smbclient from another linux machine:
[root@TAROON root]# smbclient //liberation/public -k
session setup failed: NT_STATUS_LOGON_FAILURE

which yields the following in my logs:
[2004/03/24 16:46:06, 1] libads/kerberos_verify.c:ads_verify_ticket(203)
  ads_verify_ticket: failed to fetch machine password
[2004/03/24 16:46:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

[root@TAROON root]# smbclient //liberation/public -Udomainuser%pass
session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

which places the following in the logs: 
[2004/03/24 16:59:32, 1] libads/kerberos_verify.c:ads_verify_ticket(203)
  ads_verify_ticket: failed to fetch machine password
[2004/03/24 16:59:32, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

Anonymous login (temporary enabled for testing) appears to work
flawlessly:
[root@TAROON root]# smbclient //liberation/public -N
Anonymous login successful
smb: \> ls
  .                                   D        0  Wed Mar 24 15:41:28
2004
  ..                                  D        0  Mon Feb 23 15:50:16
2004
  krb5cc_0                                  4573  Wed Mar 24 15:41:36
2004
  .X11-unix                          DH        0  Fri Mar 19 12:15:35
2004
  .winbindd                          DH        0  Wed Mar 24 16:19:38
2004

                60069 blocks of size 262144. 47176 blocks available
smb: \>


Needless to say I am perplexed. I have searched google, newsgroups, and
the list archives, and while I have seen references to this problem
before, no firm solutions, at least none that have worked for me. I have
also gone through the trouble shooting guide, and can complete all of
the tests that I can do anonymously, but fail all of the ones that
require authentication. 

Anyone care to point out where I have gone wrong. 
P.S. I also tried compiling samba from source, but the outcome was no
different. 

Thanks,

David Nalley

> -----Original Message-----
> From: Brett Stevens [mailto:brett.stevens@hubbub.com.au] 
> Can you publish (sanitized) the following
> 
> /etc/nsswitch
> Samba.conf
> krb5.conf
> 
> Thanks
As you can see, I tried to be liberal with permissions while testing,
and planned to tighten down. Thanks for taking a look

nsswitch.conf:

passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus 


krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc


[realms]
 DOMAIN.COM = {
  kdc = KDC.DOMAIN.COM
  admin_server = KDC.DOMAIN.COM
  default_domain = DOMAIN.COM
 }

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

smb.conf:

[global]
netbios name = SAMBASRVR
Server String = "File Server"
workgroup = DOMAIN
security = ADS
log file = /var/log/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins support = yes
realm = DOMAIN.COM
encrypt passwords = yes
password server = 192.168.XXX.XXX
local master = no
winbind use default domain = yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes


[public]
path = /tmp
guest ok = yes
writeable = yes
browseable = yes
public = yes

Looks like you and I followed the same docs for install. What I have that is
different to yours (and my previous failures) is there is absolutely nothing
except the default_realm under libdefaults. I commented out everything else,
I was having exactly the same symptoms as yourself and had previously tried
those settings. Disable all in lib defaults and give that a try.

> From: "David Nalley" <davidnalley@BryanRamey.com>
> Date: Wed, 24 Mar 2004 22:03:47 -0500
> To: "Brett Stevens" <brett.stevens@hubbub.com.au>,
<samba@lists.samba.org>
> Subject: RE: [Samba] Kerberos authentication problems
> 
> 
>> -----Original Message-----
>> From: Brett Stevens [mailto:brett.stevens@hubbub.com.au]
>> Can you publish (sanitized) the following
>> 
>> /etc/nsswitch
>> Samba.conf
>> krb5.conf
>> 
>> Thanks
> 
> As you can see, I tried to be liberal with permissions while testing,
> and planned to tighten down. Thanks for taking a look
> 
> nsswitch.conf:
> 
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> hosts:      files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> netgroup:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
> 
> 
> krb5.conf:
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> 
> 
> [realms]
> DOMAIN.COM = {
> kdc = KDC.DOMAIN.COM
> admin_server = KDC.DOMAIN.COM
> default_domain = DOMAIN.COM
> }
> 
> [domain_realm]
> .domain.com = DOMAIN.COM
> domain.com = DOMAIN.COM
> 
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> pam = {
>  debug = false
>  ticket_lifetime = 36000
>  renew_lifetime = 36000
>  forwardable = true
>  krb4_convert = false
> }
> 
> smb.conf:
> 
> [global]
> netbios name = SAMBASRVR
> Server String = "File Server"
> workgroup = DOMAIN
> security = ADS
> log file = /var/log/%m.log
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> wins support = yes
> realm = DOMAIN.COM
> encrypt passwords = yes
> password server = 192.168.XXX.XXX
> local master = no
> winbind use default domain = yes
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> client use spnego = yes
> 
> 
> [public]
> path = /tmp
> guest ok = yes
> writeable = yes
> browseable = yes
> public = yes
>