Huyler, Christopher M
2004-May-17 13:56 UTC
[Samba] RE: Bug 1315 -- wrong schannel auth len 24 -- am I having same problem on my Mac?
Can someone verify that I am having the same problem with Mac OS X Panther (10.3.3) using Samba 3.0.2 based on my log below? I get this trying to connect from my WinXP machine to my Mac which is configured with ADS. If so, can you point me to a set of instructions on upgrading from 3.0.2 to 3.0.4 with this patch? I don't have control over the server I authenticate with...it is about 300 miles away, so upgrading my own machine would be the only option. Here's the log... [2004/05/17 09:43:34, 2] /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:setup_new_vc_s ession(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/05/17 09:43:34, 3] /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:reply_sesssetu p_and_X_spnego(518) Doing spnego session setup [2004/05/17 09:43:34, 3] /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:reply_sesssetu p_and_X_spnego(549) NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2004/05/17 09:43:34, 3] /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:reply_spnego_n egotiate(427) Got OID 1 2 840 48018 1 2 2 [2004/05/17 09:43:34, 3] /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:reply_spnego_n egotiate(427) Got OID 1 2 840 113554 1 2 2 [2004/05/17 09:43:34, 3] /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:reply_spnego_n egotiate(427) Got OID 1 3 6 1 4 1 311 2 2 10 [2004/05/17 09:43:34, 3] /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:reply_spnego_n egotiate(430) Got secblob of size 1583 [2004/05/17 09:43:34, 10] /SourceCache/samba/samba-56/samba/source/passdb/secrets.c:secrets_named_ mutex(698) secrets_named_mutex: got mutex for replay cache mutex [2004/05/17 09:43:34, 10] /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:ads_ve rify_ticket(323) ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2004/05/17 09:43:34, 10] /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:ads_ve rify_ticket(323) ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2004/05/17 09:43:34, 3] /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:ads_ve rify_ticket(323) ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2004/05/17 09:43:34, 10] /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:ads_ve rify_ticket(323) ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2004/05/17 09:43:34, 10] /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:ads_ve rify_ticket(323) ads_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type [2004/05/17 09:43:34, 10] /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:ads_ve rify_ticket(323) ads_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type [2004/05/17 09:43:34, 10] /SourceCache/samba/samba-56/samba/source/passdb/secrets.c:secrets_named_ mutex_release(710) secrets_named_mutex: released mutex for replay cache mutex [2004/05/17 09:43:34, 3] /SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:ads_ve rify_ticket(330) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2004/05/17 09:43:34, 1] /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:reply_spnego_k erberos(173) Failed to verify incoming ticket! # -----Original Message----- # # The fix for 3.0.4 is attached to # # https://bugzilla.samba.org/show_bug.cgi?id=1315 # # Anders, I posted this previsouly in response to one of # the threads you referred to. # # http://lists.samba.org/archive/samba/2004-May/085842.html
William R. Lorenz
2004-May-17 14:32 UTC
[Samba] RE: Bug 1315 -- wrong schannel auth len 24 -- am I having same problem on my Mac?
Hi Chris, I remember seeing the 'Failed to verify incoming ticket!' over the course of my adventures, and I think that it's rather safe to say that if you're trying to use Samba to authenticate against an Active Directory server, it would be wise to start with 3.0.4 and a working patch. ;) I've heard that downgrading to a specific version will help to fix this as well, though. Maybe someone with a more authoritive answer could hop in on this thread. I will have RPM packages w/ 3.0.4 and the patch available later this afternoon for a Fedora Core 1 installation. The packages also work on a Fedora Core 2 install, which is due out for public consumption tomorrow, I do believe. Everything works hunky-dory on FC2 for me with the packages: winbind against ADS, `wbinfo -u,-g,-t`, ext3 with FS ACLs set via Samba, users, groups, and the rest of the goods. I'm quite pleased now. :) The patch is attached to https://bugzilla.samba.org/show_bug.cgi?id=1315 and can be applied to a tarball (.tar.gz) using the `patch` utility, too. On Mon, 17 May 2004, Huyler, Christopher M wrote:> Can someone verify that I am having the same problem with Mac OS X > Panther (10.3.3) using Samba 3.0.2 based on my log below? I get this > trying to connect from my WinXP machine to my Mac which is configured > with ADS. If so, can you point me to a set of instructions on upgrading[...]> [2004/05/17 09:43:34, 1] > /SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c: > reply_spnego_kerberos(173) Failed to verify incoming ticket!> # -----Original Message----- > # > # The fix for 3.0.4 is attached to > # > # https://bugzilla.samba.org/show_bug.cgi?id=1315 > # > # Anders, I posted this previsouly in response to one of > # the threads you referred to. > # > # http://lists.samba.org/archive/samba/2004-May/085842.html-- _ __ __ ___ _| | William R. Lorenz <wrl@express.org> \ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was \./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson
Gerald (Jerry) Carter
2004-May-17 14:56 UTC
[Samba] RE: Bug 1315 -- wrong schannel auth len 24 -- am I having same problem on my Mac?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Huyler, Christopher M wrote: | Can someone verify that I am having the same problem | with Mac OS X Panther (10.3.3) using Samba 3.0.2 based | on my log below? I get this trying to connect from | my WinXP machine to my Mac which is configure with ADS. | | If so, can you point me to a set of instructions on upgrading | from 3.0.2 to 3.0.4 with this patch? | | I don't have control over the server I authenticate | with...it is about 300 miles away, so upgrading my own | machine would be the only option. This is not the same as bug #1315. This is a krb5 lib problem. You need to use a version of kerberos that supports the ARCFOUR_HMAC_MD5 (23) encryption type. Looks like either you have an old version of krb5 libs (assuming included with Panther) or a misconfiguration. | ads_verify_ticket: krb5_rd_req with auth failed (Bad | encryption type) | Failed to verify incoming ticket! cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAqNDBIR7qMdg1EfYRAmCBAKDhKuRN6Rxm5iv70/kM02Q63LYiuQCfXcR5 eYXw/NqxSSopTRUNMpXvvaI=RcsC -----END PGP SIGNATURE-----