sysadm
2006-Nov-30 19:22 UTC
[Samba] samba 3.0.23d on ubuntu - ADS member -failed to verify ticket
I have a server with ubuntu 6.06 LTS with samba 3.0.23d (compiled against heimdal krb5) and heimdal-clients0.7.1-1ubuntu3. I have configured samba as a ADS domain member. Problem is that when I want to access a samba share from a windows xp domain member I am keep asked for user and password and debug level 3 shows this on log.<workstation_name> : ... [2006/11/30 12:42:15, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(261) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed [2006/11/30 12:42:15, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(261) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2006/11/30 12:42:15, 3] smbd/sesssetup.c:reply_spnego_kerberos(207) Ticket name is [Administrator@APMC.LOCAL] ... my smb.conf:>>>>[global] workgroup = APMC realm = APMC.LOCAL server string = %h server (Samba, Ubuntu) dns proxy = no interfaces = 127.0.0.1/255.0.0.0 192.168.0.0/255.255.255.0 10.1.0.0/255.255.0.0 10.101.0.0/255.255.0.0 hosts allow = 10.1. 127. 192.168.0. 192.168.1. 10.101. log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d use kerberos keytab = no security = ADS encrypt passwords = true password server = pdc.apmc.local passdb backend = tdbsam obey pam restrictions = yes invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . load printers = no socket options = TCP_NODELAY idmap uid = 10000-20000 idmap gid = 10000-20000 [bks$] browseable = yes path = /bks public = yes writable = yes write list = root, @'APMC\domain users' <<<< My krb5.conf>>>>>[logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] default_realm = APMC.LOCAL default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 [domain_realms] .apmc.local = APMC.LOCAL apmc.local = APMC.LOCAL [realms] APMC.LOCAL = { kdc = pdc.apmc.local admin_server = pdc.apmc.local default_domain = apmc.local } <<<<< I have also tried samba package from ubuntu dapper distri and MIT krb5 but with the same rezult. Thank you. ------------------------------------------------------------- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com -------------------------------------------------------------
sysadm
2006-Dec-01 19:43 UTC
[Samba] samba 3.0.23d on ubuntu - ADS member -failed to verify ticket
SOLVED: Error was on updateing an empty keytab file so: 1. delete keytab file 2. rejoin ads domain I lost 3 days for 2 operations... silly me sysadm writes:> I have a server with ubuntu 6.06 LTS with samba 3.0.23d (compiled against > heimdal krb5) and heimdal-clients0.7.1-1ubuntu3. > I have configured samba as a ADS domain member. > Problem is that when I want to access a samba share from a windows xp > domain member I am keep asked for user and password and > debug level 3 shows this on log.<workstation_name> : > > ... > [2006/11/30 12:42:15, 3] > libads/kerberos_verify.c:ads_secrets_verify_ticket(261) > ads_secrets_verify_ticket: enc type [1] failed to decrypt with error > Decrypt integrity check failed > [2006/11/30 12:42:15, 3] > libads/kerberos_verify.c:ads_secrets_verify_ticket(261) > ads_secrets_verify_ticket: enc type [3] failed to decrypt with error > Decrypt integrity check failed > [2006/11/30 12:42:15, 3] smbd/sesssetup.c:reply_spnego_kerberos(207) > Ticket name is [Administrator@APMC.LOCAL] > ... > > my smb.conf: >>>>> > [global] > workgroup = APMC > realm = APMC.LOCAL > server string = %h server (Samba, Ubuntu) > dns proxy = no > > interfaces = 127.0.0.1/255.0.0.0 192.168.0.0/255.255.255.0 > 10.1.0.0/255.255.0.0 10.101.0.0/255.255.0.0 > > hosts allow = 10.1. 127. 192.168.0. 192.168.1. 10.101. > > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > use kerberos keytab = no > security = ADS > encrypt passwords = true > password server = pdc.apmc.local > passdb backend = tdbsam > > obey pam restrictions = yes > invalid users = root > > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . > load printers = no > socket options = TCP_NODELAY > idmap uid = 10000-20000 > idmap gid = 10000-20000 > > [bks$] > browseable = yes > path = /bks > public = yes > writable = yes > write list = root, @'APMC\domain users' > > <<<< > > My krb5.conf >>>>>> > [logging] > default = FILE:/var/log/krb5/libs.log > kdc = FILE:/var/log/krb5/kdc.log > admin_server = FILE:/var/log/krb5/admin.log > > [libdefaults] > default_realm = APMC.LOCAL > default_etypes = des-cbc-crc des-cbc-md5 > default_etypes_des = des-cbc-crc des-cbc-md5 > > [domain_realms] > .apmc.local = APMC.LOCAL > apmc.local = APMC.LOCAL > > [realms] > APMC.LOCAL = { > kdc = pdc.apmc.local > admin_server = pdc.apmc.local > default_domain = apmc.local > } > > <<<<< > > > I have also tried samba package from ubuntu dapper distri and MIT krb5 but > with the same rezult. > > Thank you. > > > > ------------------------------------------------------------- > This mail was scanned by BitDefender > For more informations please visit http://www.bitdefender.com > > > ------------------------------------------------------------- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > ------------------------------------------------------------- > This mail was scanned by BitDefender > For more informations please visit http://www.bitdefender.com > > > ------------------------------------------------------------- >------------------------------------------------------------- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com -------------------------------------------------------------