samba - Sep 2004 - Samba 3.0.6 Problems w/AD and Kerberos

Running into a lot of people upgrading to the 3.0.6 package that all
of a sudden begin to experience the "Failed to verify incoming
ticket!" errors etc., that are generally associated with a kerberos
package incompatibility.

However many of these people are running later versions of kerberos
*and* reverting to a previous version of Samba appears to fix the
issue.  Is there something new setting wise that has taken place, is
something really wrong with this new package, or is this all just a
strange coincidence?

Christian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christian Merrill wrote:
| Running into a lot of people upgrading to the 3.0.6
| package that all of a sudden begin to experience
| the "Failed to verify incoming ticket!" errors
| etc., that are generally associated with a kerberos
| package incompatibility.
|
| However many of these people are running later
| versions of kerberos *and* reverting to a previous
| version of Samba appears to fix the issue.  Is there
| something new setting wise that has taken place, is
| something really wrong with this new package, or
| is this all just a strange coincidence?

I've not been able to reproduce this or track it down.
Is there a consensus whether this is an specific issue
with using MIT or Heimdal ?  Or with Windows 2000 or
2003 DCs ?

Any details would be helpful.  I've created bug report at
https://bugzilla.samba.org/show_bug.cgi?id=1739







cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBPym1IR7qMdg1EfYRAmY5AJ4s+KBbFv3phU9TJzH4/gegWpBPaQCfU21v
pv5nb9vsPWHrJtcNS8zzGgE=HOe8
-----END PGP SIGNATURE-----

Christian,
 FYI: win2k SP4 on AD cause Win3K like behavior of forcing  Kerberos
Ticket sighning 
http://support.microsoft.com/default.aspx?scid=kb;en-us;811422

So on win2k ad this breaks krb5 before 1.3.x...

-Alex
-----Original Message-----
From: Christian Merrill [mailto:cmerrill@redhat.com] 
Sent: Sunday, September 05, 2004 9:34 AM
To: Rick Brown
Cc: samba@lists.samba.org
Subject: Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos


Rick Brown wrote:
>On Sun, 5 Sep 2004, Christian Merrill wrote:
>
>  
>
>>Gerald (Jerry) Carter wrote:
>>
>>    
>>
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>Christian Merrill wrote:
>>>| Running into a lot of people upgrading to the 3.0.6
>>>| package that all of a sudden begin to experience
>>>| the "Failed to verify incoming ticket!" errors
>>>| etc., that are generally associated with a kerberos
>>>| package incompatibility.
>>>|
>>>| However many of these people are running later
>>>| versions of kerberos *and* reverting to a previous
>>>| version of Samba appears to fix the issue.  Is there
>>>| something new setting wise that has taken place, is
>>>| something really wrong with this new package, or
>>>| is this all just a strange coincidence?
>>>
>>>I've not been able to reproduce this or track it down.
>>>Is there a consensus whether this is an specific issue
>>>with using MIT or Heimdal ?  Or with Windows 2000 or
>>>2003 DCs ?
>>>
>>>Any details would be helpful.  I've created bug report at
>>>https://bugzilla.samba.org/show_bug.cgi?id=1739
>>>      
>>>
>>Well from my end (Redhat) the behavior is indicative of a known issue
>>with the MIT kerberos 1.2.x packages that we currently support and
>>Win2k3 DC's...however Win2k DC's have been operating fine as far
as I
>>know.  What I am seeing are customers who were previously running
>>upgrade to the 3.0.6 samba package and then start to encounter these
>>errors.  If they downgrade the samba package the problem goes away.
>>I've also noticed a few other posts from users on other distros such
as
>>Debian encountering very similar behavior.
>>
>>On the surface it really looks like a kerberos problem, but people are
>>reporting that it seems to be directly linked to the samba package.
My
>>current test environment is on 2k3 so I'm still in the process of
>>setting up a 2k AD environment to do testing on...at this point just
>>relaying feedback that I am getting from others.
>>    
>>
>
>I've seen this problem on a new machine/samba install..
>Our DC recently changed from 2k to 2k3, and I believe that might
>be part of the cause of the problem.   I have 2 samba machines (running
>3.0.2) that I joined into the realm when our DC was 2k, they still work
>great.   Last week I brought a new machine online (running 3.0.4)
joined
>the realm with no problems, but then proceeded to get the following
error:
>
> ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
>
>when authenticating..  I've since downgraded to 3.0.2 with no success,
>and tried upgrading to 3.0.6 with no success.
>
>Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched).
>Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of
>red tape...   so that's not an option.   IMO, MIT krb is not the
problem, as
>the two existing machines still work fine.   I think it might have
>something to do with the way AD in 2k3 is storing the cifs and host
>keys.
>
>[         Rick Brown               ][      (404) 894-6175           ]
>[ Office of Information Technology ][    rick@oit.gatech.edu 	    ]
>[ Georgia Institute of Technology  ][  258 4th street. Atlanta, GA  ]
>
>  
>
I think the only accurate test would be in a 2k environment, I have 
definately seen these issues on 2k3 with the pre 1.3.x kerberos packages

regardless of what version of Samba is being used.  The behavior I tend 
to see in a 2k3 environment is that Samba/Kerberos will work quite 
happily for about 90 days and then the DC will issue a ticket that the 
older versions of MIT kerberos can't handle.  However when using 2k this

really didn't appear to be a problem until upgrading to the 3.0.6 
versions.  Hopefully I'll be able to get a 2k environment setup soon to 
test against...I don't understand how the Samba package could in any way

be responsible for these kerberos-like problems but that is what appears

to be the case at this point.

I should also mention that Redhat's packages are somewhat different from

the actual ones provided by samba.org -- I am mainly looking at this on 
the RHEL3 platform, however I have seen some similar issues reported by 
people using other distros.

Christian

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Le dimanche 05 Septembre 2004 13:38, Christian Merrill a
?crit?:
> Running into a lot of people upgrading to the 3.0.6 package that all
> of a sudden begin to experience the "Failed to verify incoming
> ticket!" errors etc., that are generally associated with a kerberos
> package incompatibility.
>
> However many of these people are running later versions of kerberos
> *and* reverting to a previous version of Samba appears to fix the
> issue.  Is there something new setting wise that has taken place, is
> something really wrong with this new package, or is this all just a
> strange coincidence?
>
> Christian
I confirm the problem:
I'm running win2k SP4, AD, mixed mode, no other special conf.
the samba is 3.0.6, compiled from sources. I use winbind too.
winbind has some "  krb5_cc_get_principal failed (No credentials cache
found)"
but nothing special.
but the samba daemon get, for some users, 
"smbd/sesssetup.c:reply_spnego_kerberos(173) 
Failed to verify incoming ticket "
and this prevent user from acceding their share.
the used kerberos is 1.3.4

The 2000 domain has been started from scratch, no NT4 migration.

Emmanuel

I had some of the symptoms described in the thread at:
http://marc.theaimsgroup.com/?l=samba&m=109467105202571&w=2
which appear to have been solved by changing the value
of the "valid users" parameter from '@Domain Users' to
@"Domain Users".

It appears that samba 3.0.6 got very picky about how
the "valid users" parameter value is defined.  In my
Fedora Core setup (samba 3.0.3 from FC2), I originally
had >valid users = '+Domain Users' which worked with
3.0.3 (and 3.0.4 on my Redhat 8.0 boxes).  Upgrading
to 3.0.6, this stopped working.  It worked when I
changed it to valid users = @"Domain Users".  However,
editing shares in swat reverts this value to '@Domain
Users' and it stops working.  Moreover, downgrades to
3.0.5 seem to change this value to '@Domain, Users'
(note the comma) and that does not work with 3.0.5
either (hand-editing to get rid of the comma "solves"
the problem).  

So, now I do have samba 3.0.6 working with ADS (Win
2k, SP4) and kerberos 1.3.4 (fc2's latest update) and
have to remember not to edit shares with swat.  I hope
this is not just one of those flash-in-the-pan symptom
and cures, which it sure sounds like.  However, I have
been able to replicate the behavior I've described ...

HTH,
   Murthy


		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

I've had this problem since a Samba.org .deb package upgrade 3.0.5 to 
3.0.6 on Debian stable.  Domain is ADS Windows 2000 Native - both domain 
controllers are  W2K Server SP4.  I'm using an XP SP2 PC and a Windows 
2000 Server SP4 PC as clients to test (simply because they're by my desk).

Yesterday, I set up a fresh test install od debian stable (under VMWare) 
and installed from source MIT Kerberos 1.3.4, OpenLDAP 2.2.15, and Samba 
3.0.6 to see if it was a problem with Debian Stable's older kerberos. 
But I had the same problem - \\ipaddress worked, but \\name didn't.

So I removed Samba 3.0.6 via:
stopping the daemons
net ads leave
make uninstall in the source dir
manually deleting /lib/libnss_win*
manually deleting any samba related files in /var/log & /var/run, etc.

I then downloaded and compiled Samba 3.0.5 and set it up.  It was 
working last night, however this morning I started having the same 
problems...


Here's a log of a XP SP2 client failing to connect to Samba 3.0.6 test:
[2004/09/08 13:57:38, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
   ads_verify_ticket: krb5_rd_req with auth failed (Unknown code 0)
[2004/09/08 13:57:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
   Failed to verify incoming ticket!
[2004/09/08 13:57:38, 3] smbd/error.c:error_packet(105)
   error string = No such file or directory
[2004/09/08 13:57:38, 3] smbd/error.c:error_packet(129)
   error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE


Here's a log of a Windows 2000 Server SP4 client failing to connect to 
Samba 3.0.5 test:
[2004/09/09 07:50:28, 3] libads/kerberos_verify.c:ads_verify_ticket(193)
   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/09/09 07:50:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
   Failed to verify incoming ticket!
[2004/09/09 07:50:28, 3] smbd/error.c:error_packet(118)
   error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE

Thanks,
Josh

Le dimanche 05 Septembre 2004 13:38, Christian Merrill a
?crit?:
> Running into a lot of people upgrading to the 3.0.6 package that all
> of a sudden begin to experience the "Failed to verify incoming
> ticket!" errors etc., that are generally associated with a kerberos
> package incompatibility.
I'm running more tests with 3.0.5 instead of 3.0.6, and it seems that 3.0.5 
has some problems too.
Sometime, a share can't be mounted, when username, pass is given, but if 
DOMAIN\username, pass is given the share can be used.!
I'll try to increase the level of logs, but I can't make a lot of
changer per
day, because this is a prod server.

Emmanuel