Fredrik Lindberg
2006-Mar-22 12:49 UTC
[Samba] Authentication problems with win2k3 domain controller
Hi I'm having problems with samba-3.0.21b and Windows Server 2003 domain controllers. When I try to access the samba server from a client (\\sambasrv) I only get a login prompt, no username/password combination works. Accessing the samba server through its IP-number instead of using the netbios name works. This together with the log message "Failed to verify incoming ticket!" suggests this is some kind of kerberos error. Samba is linked to heimdal 0.6.3 and I've no problems getting tickets from the DCs. My krb5.conf looks like this (with some private bits removed) [libdefaults] default_realm = MYREALM.COM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 [realms] MYREALM.COM= { kdc = tcp/10.0.0.239 default_domain = myrealm.com } [domain_realm] .myrealm.com = MYREALM.COM myrealm.com = MYREALM.COM net ads join/leave works and testjoin returns OK. net ads lookup gives the following Information for Domain Controller: dc01 Response Type: SAMLOGON GUID: 0c38d942-f0a7-4ade-87ae-30b5cf9ae485 Flags: Is a PDC: yes Is a GC of the forest: no Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Forest: myrealm.com Domain: myrealm.com Domain Controller: dc01.myrealm.com Pre-Win2k Domain: MYREALM Pre-Win2k Hostname: DC01 Site Name: Default-First-Site-Name Site Name (2): Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff Also, winbind seems to work ok. wbinfo -u lists all the users and I can authenticate users with wbinfo -a user%pass. This is a part of the log file generated when I try to access the samba server using its netbios name [2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X(822) wct=12 flg2=0xc807 [2006/03/22 11:41:46, 2] smbd/sesssetup.c:setup_new_vc_session(772) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(633) Doing spnego session setup [2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(664) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2006/03/22 11:41:46, 10] lib/util.c:set_remote_arch(2033) set_remote_arch: Client arch is 'WinXP' [2006/03/22 11:41:46, 10] smbd/password.c:register_vuid(182) register_vuid: allocated vuid = 100 [2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525) Got OID 1 2 840 48018 1 2 2 [2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525) Got OID 1 2 840 113554 1 2 2 [2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(525) Got OID 1 3 6 1 4 1 311 2 2 10 [2006/03/22 11:41:46, 3] smbd/sesssetup.c:reply_spnego_negotiate(528) Got secblob of size 1254 [2006/03/22 11:41:46, 10] passdb/secrets.c:secrets_named_mutex(811) secrets_named_mutex: got mutex for replay cache mutex [2006/03/22 11:41:46, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(249) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Message size is incompatible with encryption type [2006/03/22 11:41:46, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(249) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Message size is incompatible with encryption type [2006/03/22 11:41:46, 10] passdb/secrets.c:secrets_named_mutex_release(823) secrets_named_mutex: released mutex for replay cache mutex [2006/03/22 11:41:46, 3] libads/kerberos_verify.c:ads_verify_ticket(378) ads_verify_ticket: krb5_rd_req with auth failed (Unknown error: 0) [2006/03/22 11:41:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(180) Failed to verify incoming ticket! [2006/03/22 11:41:46, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(182) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE I found a reference in the mail archives suggesting that I should re-join the machine. I tried that without success. I also tried the KdcUseRequestedEtypesForTickets hotfix from Microsoft, that didn't help either. Any hints on what I could try next?, All suggestions are more than welcome. Since using the ip-number instead of the netbios name works, and that seemed to use NTLM authentication instead of kerberos, I would be happy with a compromise if there is a way to force clients to use NTLM authentication. I'll be happy to provide any additional information if needed. Thank you, Fredrik Lindberg Here is my smb.conf [global] workgroup = MYREALM server string = Samba Server netbios name = sambasrv01 security = ADS log file = /var/log/samba/log.%m max log size = 50 password server = 10.0.0.239 realm = MYREALM.COM socket options = TCP_NODELAY wins server = 10.0.0.239 dns proxy = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = Yes winbind nested groups = Yes template shell = /usr/sbin/nologin auth methods = winbind nt acl support = Yes preserve case = Yes valid users = @"Domain Users" inherit permissions = yes [Volume] comment = Storage volume path = /export browseable = yes writeable = yes directory mask = 0775
Fredrik Lindberg
2006-Mar-22 13:36 UTC
[Samba] Authentication problems with win2k3 domain controller
Thomas Limoncelli wrote:> Fredrik Lindberg wrote: >> [libdefaults] >> default_realm = MYREALM.COM >> default_etypes = des-cbc-crc des-cbc-md5 >> default_etypes_des = des-cbc-crc des-cbc-md5 > > Have you tried removing the last two entries? > > > -TLI tried to remove them and re-joined the domain but I'm still getting " Failed to verify incoming ticket". But I'm now getting several "Message size is incompatible with encryption type" for the enc types 16, 5, 3, 2 and 1 I also got a [2006/03/22 14:29:41, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(249) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed Well, at least something happened :) Fredrik Lindberg
Robert Toole
2006-Apr-05 23:35 UTC
[Samba] Authentication problems with win2k3 domain controller
>Thomas Limoncelli wrote:>> Fredrik Lindberg wrote: >>> [libdefaults] >>> default_realm = MYREALM.COM >>> default_etypes = des-cbc-crc des-cbc-md5 >>> default_etypes_des = des-cbc-crc des-cbc-md5 >> >> Have you tried removing the last two entries? >> >> >> -TL >I tried to remove them and re-joined the domain but I'm still >getting " Failed to verify incoming ticket". >But I'm now getting several "Message size is incompatible with >encryption type" for the enc types 16, 5, 3, 2 and 1 >I also got a >[2006/03/22 14:29:41, 3] >libads/kerberos_verify.c:ads_secrets_verify_ticket(249) > ads_secrets_verify_ticket: enc type [23] failed to decrypt with >error >Decrypt integrity check failed >Well, at least something happened :) > Fredrik Lindberg Hi all, I have have been having the same problem, cannot connect using \\<servername> but can connect using \\<server_IP_Address>, with the following in the log.<clientname>: [2006/04/05 15:39:28, 0] auth/auth_util.c:make_server_info_info3(1177) make_server_info_info3: pdb_init_sam failed! and the following in log.<Client_IP_Address> [2006/04/05 16:24:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! I have also noticed that only Windows XP clients are affected, Connecting from Win2000 and W2003 works ok, and putting the following in smb.conf resolves it: client use spnego = no thanks to Anton Velo for the fix in his post: marc.theaimsgroup.com/?l=samba&m=110900733011271&w=2 I am using RHEL 4 U3, with the following rpms: samba-3.0.10-1.4E.6 pam_krb5-2.1.8-1 krb5-libs-1.3.4-27 krb5-devel-1.3.4-27 krb5-workstation-1.3.4-27 Is this a Kerberos, Samba, or RHEL problem? I have a feeling this may be a RHEL problem but I thought I'd post here as well... thanks -- Robert Toole Sr. Systems Engineer KN Logistics / Calgary