thr3ads.net - samba - [Samba] another "Failed to verify incoming ticket" [Apr 2004]

If this information is useful, please help other people find it:
Share via:
pgs@synerway.com
2004-Apr-05 09:02 UTC
[Samba] another "Failed to verify incoming ticket"

Hello everyone,

I'm sorry for this long post, but I think there is a real understanding
problem for many people on ADS domain membership.
I'm not the first to post about this type of problem, however I didn't
find
an answer to it in the archives and I followed the HOWTO-collection.

Well, this is what I'm doing :

I am using samba-3.0.1 compiled from source,
MIT kerberos 1.3.1 compiled from source
openldap 2.1.25 compiled from source

on a non-standard linux distribution.

I have:
a win2k DC that controls a test domain, my linux domain member with samba and
kerberos and a WinXP workstation.

I made my configurations as follows :

smb.conf :

[global]
  netbios name = linuxbox
  workgroup = test
  realm = TEST.COM

  security = ads

  encrypt passwords = yes

  obey pam restrictions = yes
  idmap uid = 10000-10813
  idmap gid = 10000-10813
  winbind separator = -
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /share/%U
  winbind use default domain = yes

  log file = /var/log/samba/log.%m
  log level = 3


krb5.conf :

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = TEST.COM
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 TEST.COM = {
  kdc = ntserver.test.com
  admin_server = ntserver.test.com
  default_domain = test.com
 }

[domain_realm]
 test.com = TEST.COM
 .test.com = TEST.COM

I also tried with enctypes rc4-hmac, the results were the same.

I ran successively :
$ nmbd -D
$ smbd -D
$ kinit administrator@TEST.COM
$ net ads join -U administrator
$ winbindd

All this works fine, I can see my ADS users, klist gives me :
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEST.COM

Valid starting     Expires            Service principal
04/02/04 13:47:34  04/02/04 23:47:40  krbtgt/TEST.COM@TEST.COM
	renew until 04/03/04 13:47:34


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Then I run on my linux box :
$ smbclient -k //linuxbox/pascal -U pascal

and get a 
tree connect failed: NT_STATUS_ACCESS_DENIED

If I run klist after this command I get the following :
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@TEST.COM

Valid starting     Expires            Service principal
04/02/04 13:47:34  04/02/04 23:47:40  krbtgt/TEST.COM@TEST.COM
	renew until 04/03/04 13:47:34
04/02/04 13:50:52  04/02/04 23:47:40  linuxbox$@TEST.COM
	renew until 04/03/04 13:47:34


Kerberos 4 ticket cache: /tmp/tkt0
...

/var/log/samba/log.linuxbox is empty bu I get the following lines in 
/var/log/samba/log.172.16.1.58 :

[2004/04/02 14:57:24, 3] smbd/oplock.c:init_oplocks(1226)
  open_oplock_ipc: opening loopback UDP socket.
[2004/04/02 14:57:24, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
  Linux kernel oplocks enabled
[2004/04/02 14:57:24, 3] smbd/oplock.c:init_oplocks(1257)
  open_oplock ipc: pid = 31339, global_oplock_port = 33200
[2004/04/02 14:57:24, 3] smbd/process.c:process_smb(890)
  Transaction 0 of length 183
[2004/04/02 14:57:24, 3] smbd/process.c:switch_message(685)
  switch message SMBnegprot (pid 31339)
[2004/04/02 14:57:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [MICROSOFT NETWORKS 1.03]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [MICROSOFT NETWORKS 3.0]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [LANMAN1.0]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [LM1.2X002]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [DOS LANMAN2.1]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [Samba]
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_nt1(329)
  using SPNEGO
[2004/04/02 14:57:24, 3] smbd/negprot.c:reply_negprot(532)
  Selected protocol NT LANMAN 1.0
[2004/04/02 14:57:24, 3] smbd/process.c:process_smb(890)
  Transaction 1 of length 1488
[2004/04/02 14:57:24, 3] smbd/process.c:switch_message(685)
  switch message SMBsesssetupX (pid 31339)
[2004/04/02 14:57:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(591)
  wct=12 flg2=0xc801
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(471)
  Doing spnego session setup
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(502)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(380)
  Got OID 1 2 840 48018 1 2 2
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(380)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2004/04/02 14:57:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(383)
  Got secblob of size 1348
[2004/04/02 14:57:24, 3] libads/kerberos_verify.c:setup_keytab(147)
  unable to create MEMORY: keytab (Unknown Key table type)
[2004/04/02 14:57:24, 3] libads/kerberos_verify.c:ads_verify_ticket(280)
  ads_verify_ticket: unable to setup keytab
[2004/04/02 14:57:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
[2004/04/02 14:57:24, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2004/04/02 14:57:24, 3] smbd/error.c:error_packet(118)
  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2004/04/02 14:57:24, 3] smbd/process.c:process_smb(890)
  Transaction 2 of length 92
[2004/04/02 14:57:24, 3] smbd/process.c:switch_message(685)
  switch message SMBtconX (pid 31339)
[2004/04/02 14:57:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/02 14:57:24, 1] smbd/service.c:make_connection(792)
  make_connection: refusing to connect with no session setup
[2004/04/02 14:57:24, 3] smbd/error.c:error_packet(118)
  error packet at smbd/reply.c(286) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2004/04/02 14:57:24, 3] smbd/process.c:timeout_processing(1104)
  timeout_processing: End of file from client (client has disconnected).
[2004/04/02 14:57:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/04/02 14:57:24, 2] smbd/server.c:exit_server(558)
  Closing connections
[2004/04/02 14:57:24, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to 
[2004/04/02 14:57:24, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not
exist.
[2004/04/02 14:57:24, 3] smbd/server.c:exit_server(601)
  Server exit (normal exit)

I turned off client use spnego and I got this log :
...
[2004/04/02 15:08:03, 2] auth/auth.c:check_ntlm_password(312)
Selected protocol NT Lanman 1.0
...
[2004/04/02 15:08:03, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [pascal] -> [pascal] FAILED
with error NT_STATUS_WRONG_PASSWORD
[2004/04/02 15:08:03, 2] auth/auth.c:check_ntlm_password(312)
  Error string = NO such file or directory
...
[2004/04/02 15:08:03, 2] smbd/server.c:exit_server(558)
  Closing connections

With the XP client, when connecting to the domain I don't see the linuxbox
but the following lines appear in /var/log.172.16.1.42 :

[2004/04/02 15:35:58, 3] smbd/oplock.c:init_oplocks(1226)
  open_oplock_ipc: opening loopback UDP socket.
[2004/04/02 15:35:58, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
  Linux kernel oplocks enabled
[2004/04/02 15:35:58, 3] smbd/oplock.c:init_oplocks(1257)
  open_oplock ipc: pid = 2470, global_oplock_port = 33204
[2004/04/02 15:35:58, 3] smbd/process.c:process_smb(890)
  Transaction 0 of length 72
[2004/04/02 15:35:58, 2] smbd/reply.c:reply_special(105)
  netbios connect: name1=LINUXBOX       name2=POSTE1         
[2004/04/02 15:35:58, 2] smbd/reply.c:reply_special(112)
  netbios connect: local=linuxbox remote=poste1, name type = 0

and sometimes no log at all.

Well I really don't know what goes wrong.
Did I forget some steps?
As I said I followed the HOWTO-collection, so I wonder if there is not a lack
of explanations in it about this kind of problem, as many people seem
to be confronted to it.

Does anyone have any idea on my problem?
Is it normal that the selected protocole is NT LANMAN 1.0? I don't want any
NT
compatibility.

Really thank you

--
Thundax
Maybe Matching Threads

Search for more apparently analagous threads
samba - Apr 2004 - another "Failed to verify incoming ticket"

[Samba] another "Failed to verify incoming ticket"

Maybe Matching Threads

Wisdom of the Ancients
