samba - Aug 2004 - Kerberos verfy ticket failed

Hello list.

I've got a problem using samba-3.0.4 (RedHat AS 3.0)
the server is member of a Win2003 Active directory domain
All stuff about krb5 seems to work correctly

kinit user@REALM
klist
etc...

net ads join -U administrator has worked well too

But when any Windows client member of the domain try to connect to the
server it asks me for a user/pass.

here is the log.

[2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/08/10 18:56:42, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2004/08/10 18:56:42, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 48018 1 2 2
[2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 113554 1 2 2
[2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 1191
[2004/08/10 18:56:42, 3] libads/kerberos_verify.c:ads_verify_ticket(185)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/08/10 18:56:43, 3] libads/kerberos_verify.c:ads_verify_ticket(193)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
  Failed to verify incoming ticket!
[2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94)
  error string = Aucun fichier ou répertoire de ce type
[2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118)
  error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131)
  timeout_processing: End of file from client (client has disconnected).
[2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572)
  Closing connections
[2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to 
[2004/08/10 18:56:44, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does
not exist.
[2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615)
  Server exit (normal exit)

I'm not sure it's due to Win2k3 server because enc type [3] is
des-cbc-md5.

I definitiveley Don't know what's wrong!

I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4
without success.

Any help would be appretciated.

I have seen this on multiple occasions as well.  I can't really 
pinpoint it, but I'd really like to know what is going wrong.

Aaron


On Aug 10, 2004, at 1:48 PM, Raphael RIGNIER wrote:
> Hello list.
>
> I've got a problem using samba-3.0.4 (RedHat AS 3.0)
> the server is member of a Win2003 Active directory domain
> All stuff about krb5 seems to work correctly
>
> kinit user@REALM
> klist
> etc...
>
> net ads join -U administrator has worked well too
>
> But when any Windows client member of the domain try to connect to the
> server it asks me for a user/pass.
>
> here is the log.
>
> [2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
>   wct=12 flg2=0xc807
> [2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2004/08/10 18:56:42, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>   Doing spnego session setup
> [2004/08/10 18:56:42, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> PrimaryDomain=[]
> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>   Got OID 1 2 840 48018 1 2 2
> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>   Got OID 1 2 840 113554 1 2 2
> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>   Got OID 1 3 6 1 4 1 311 2 2 10
> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
>   Got secblob of size 1191
> [2004/08/10 18:56:42, 3] 
> libads/kerberos_verify.c:ads_verify_ticket(185)
>   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> integrity check failed
> [2004/08/10 18:56:43, 3] 
> libads/kerberos_verify.c:ads_verify_ticket(193)
>   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
>   Failed to verify incoming ticket!
> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94)
>   error string = Aucun fichier ou r????pertoire de ce type
> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118)
>   error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131)
>   timeout_processing: End of file from client (client has 
> disconnected).
> [2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572)
>   Closing connections
> [2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69)
>   Yielding connection to
> [2004/08/10 18:56:44, 3] smbd/connection.c:yield_connection(76)
>   yield_connection: tdb_delete for name  failed with error Record does
> not exist.
> [2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615)
>   Server exit (normal exit)
>
> I'm not sure it's due to Win2k3 server because enc type [3] is
> des-cbc-md5.
>
> I definitiveley Don't know what's wrong!
>
> I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4
> without success.
>
> Any help would be appretciated.
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

Hi,
what's in your krb.conf?
AFAIR it should be realy minimalistic. (in fact mine doesn't even exist,
but i'm using a win2k server, not win2k3)
espacialy there shouldn't be settings for default encryption types.
Some persons reported these to produce problems.
And you definitly need a kerberos-version >=1.3.3 if you use 
MIT-kerberos to get it working.
Hope it helps.
Christoph

Raphael RIGNIER schrieb:
> Hello list.
> 
> I've got a problem using samba-3.0.4 (RedHat AS 3.0)
> the server is member of a Win2003 Active directory domain
> All stuff about krb5 seems to work correctly
> 
> kinit user@REALM
> klist
> etc...
> 
> net ads join -U administrator has worked well too
> 
> But when any Windows client member of the domain try to connect to the
> server it asks me for a user/pass.
> 
> here is the log.
> 
> [2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
>   wct=12 flg2=0xc807
> [2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2004/08/10 18:56:42, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>   Doing spnego session setup
> [2004/08/10 18:56:42, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> PrimaryDomain=[]
> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>   Got OID 1 2 840 48018 1 2 2
> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>   Got OID 1 2 840 113554 1 2 2
> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>   Got OID 1 3 6 1 4 1 311 2 2 10
> [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
>   Got secblob of size 1191
> [2004/08/10 18:56:42, 3] libads/kerberos_verify.c:ads_verify_ticket(185)
>   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> integrity check failed
> [2004/08/10 18:56:43, 3] libads/kerberos_verify.c:ads_verify_ticket(193)
>   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
>   Failed to verify incoming ticket!
> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94)
>   error string = Aucun fichier ou r????pertoire de ce type
> [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118)
>   error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131)
>   timeout_processing: End of file from client (client has disconnected).
> [2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572)
>   Closing connections
> [2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69)
>   Yielding connection to 
> [2004/08/10 18:56:44, 3] smbd/connection.c:yield_connection(76)
>   yield_connection: tdb_delete for name  failed with error Record does
> not exist.
> [2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615)
>   Server exit (normal exit)
> 
> I'm not sure it's due to Win2k3 server because enc type [3] is
> des-cbc-md5.
> 
> I definitiveley Don't know what's wrong!
> 
> I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4
> without success.
> 
> Any help would be appretciated.
>