samba - Jul 2004 - Windows 2003 AD/Kerberos Ticket error

I'm attempting to configure Samba 3.0.4 to work with Windows 2003 Active
Directory, mapping users' home directories automatically. Currently we
use this method in production with Windows 2000 but wish to migrate to
2003. The problem seems to be Kerberos related. I was able to join the
Linux box (RedHat 9) to the AD. I can do a "kinit <username>"
successfully. Klist shows a valid ticket. When logging on to the W2K3
domain controller the mapping of the drive fails and the Samba log shows
the following:

smbd/sesssetup.c:reply_spnego_kerberos(174)
  Failed to verify incoming ticket!

This is my smb.conf file (I've removed comments):
****Begin File****
#======================= Global Settings 
[global]
   workgroup = w2k3
   netbios name = file-svr
   server string = Samba Server

   log file = /var/log/samba/smbd.log

   max log size = 50
   security = ads
   realm = W2K3.TEST

   client signing = Yes
   server signing = Yes
   client use spnego = Yes
   use spnego = Yes

  encrypt passwords = yes

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   local master = no

   dns proxy = no 

#============================ Share Definitions 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

****End File****

This is the krb5.conf (again, comments removed):

****Begin File****

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
  default_realm = W2K3.TEST
  default_tgs_enctypes = des-cbc-crc des-cbc-md5
  default_tkt_enctypes = des-cbc-crc des-cbc-md5
  forwardable = true
  proxiable = true

[realms]
 W2K3.TEST = {
  kdc = test-dc.w2k3.test
  admin_server = test-dc.w2k3.test
  default_domain = w2k3.test
 }

[domain_realm]
 .w2k3.test = W2K3.TEST
 w2k3.test = W2K3.TEST

****End File****

The following packages are installed:

samba-3.0.4-1
krb5-libs-1.2.7-14
krb5-workstation-1.2.7-14
krb5-devel-1.60-1
pam_krb5-1.60-1

The DNS servers are Windows 2000 SP4.

Thanks for any suggestions. I've set this at maximum points since I
really need to get it working.

Mark

--
Mark Warbeck
Systems Engineer
Engineering Science and Mechanics
Virginia Tech
323A Norris Hall
Mail Code 0219
Blacksburg, VA 24061
540.231.7489

If you google for this you'll find a bunch of posts that pretty much 
explain everything.

In short, W2003 krb defaults to rc4-hmac, and does not allow enctypes. 
So take your enctypes out of krb5.conf and let it do rc4-hmac, or you 
can read Q833708 and get the hotfix to recognize enctypes.

I forget why the kinit works but the client logon does not.

Eric Roseme
Hewlett-Packard

Warbeck, Mark wrote:
> I'm attempting to configure Samba 3.0.4 to work with Windows 2003
Active
> Directory, mapping users' home directories automatically. Currently we
> use this method in production with Windows 2000 but wish to migrate to
> 2003. The problem seems to be Kerberos related. I was able to join the
> Linux box (RedHat 9) to the AD. I can do a "kinit
<username>"
> successfully. Klist shows a valid ticket. When logging on to the W2K3
> domain controller the mapping of the drive fails and the Samba log shows
> the following:
> 
> smbd/sesssetup.c:reply_spnego_kerberos(174)
>   Failed to verify incoming ticket!
> 
> This is my smb.conf file (I've removed comments):
> ****Begin File****
> #======================= Global Settings 
> [global]
>    workgroup = w2k3
>    netbios name = file-svr
>    server string = Samba Server
> 
>    log file = /var/log/samba/smbd.log
> 
>    max log size = 50
>    security = ads
>    realm = W2K3.TEST
> 
>    client signing = Yes
>    server signing = Yes
>    client use spnego = Yes
>    use spnego = Yes
> 
>   encrypt passwords = yes
> 
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
>    local master = no
> 
>    dns proxy = no 
> 
> #============================ Share Definitions 
> [homes]
>    comment = Home Directories
>    browseable = no
>    writable = yes
> 
> ****End File****
> 
> This is the krb5.conf (again, comments removed):
> 
> ****Begin File****
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>   default_realm = W2K3.TEST
>   default_tgs_enctypes = des-cbc-crc des-cbc-md5
>   default_tkt_enctypes = des-cbc-crc des-cbc-md5
>   forwardable = true
>   proxiable = true
> 
> [realms]
>  W2K3.TEST = {
>   kdc = test-dc.w2k3.test
>   admin_server = test-dc.w2k3.test
>   default_domain = w2k3.test
>  }
> 
> [domain_realm]
>  .w2k3.test = W2K3.TEST
>  w2k3.test = W2K3.TEST
> 
> ****End File****
> 
> The following packages are installed:
> 
> samba-3.0.4-1
> krb5-libs-1.2.7-14
> krb5-workstation-1.2.7-14
> krb5-devel-1.60-1
> pam_krb5-1.60-1
> 
> The DNS servers are Windows 2000 SP4.
> 
> Thanks for any suggestions. I've set this at maximum points since I
> really need to get it working.
> 
> Mark
> 
> --
> Mark Warbeck
> Systems Engineer
> Engineering Science and Mechanics
> Virginia Tech
> 323A Norris Hall
> Mail Code 0219
> Blacksburg, VA 24061
> 540.231.7489