thr3ads.net - samba - [Samba] Failed to verify incoming ticket! When clients use netbios names only! [Apr 2007]

If this information is useful, please help other people find it:
Share via:

m.bland

2007-Apr-04 15:11 UTC

[Samba] Failed to verify incoming ticket! When clients use netbios names only!

Hi,
    I have set up our samba box in 'ADS' mode; the problem I have is
clients
connecting to the server can not do so by using its netbios name. Only when
they use the IP address of the machine are they able to be authenticated and
browse the box.
When clients connect via the netbios name this message will appear in my
samba logs with the IP of the connecting client;
    
    "smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming
ticket!"
 
Additionally, If a client connects successfully via the IP of the samba
server, the log file is named in the clients netbios name rather than their
IP.
    eg machinenetbiosname.log will contain
    [2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642)
  netbiosnameofmachine (192.168.16.203) signed connect to service data
initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329)
 
Can some one tell me what's happening here? ;)
 
thor:/var/log/samba# cat /etc/samba/smb.conf
[global]
winbind use default domain = yes
winbind separator = +
client use spnego = yes
use spnego = yes
server signing = auto
client signing = auto
netbios name = THOR
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
workgroup = DOMAIN
server string = Thor
security = ads
hosts allow = 192.168.16.
load printers = no
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = SERVER01
encrypt passwords = yes
realm = DOMAIN
passdb backend = tdbsam
local master = no
domain master = no
wins support = no
wins server = 192.168.16.3
dns proxy = no
hostname lookups = yes
name resolve order = lmhosts host wins dns bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 
[data]
        comment = 
        path = /data
        Valid Users = +DOMAIN+"domain users"
        writeable = yes
        browseable = yes
 
        [ftp]
        comment = FTP area
        path = /data/ftp
        Valid Users = +DOMAIN+"domain users"
        writeable = yes
        browseable = yes
thor:/var/log/samba#
 
wbinfo -u works!
wbinfo -g works
 
passwd:     files winbind
shadow:     files winbind
group:      files winbind
 
#hosts:     db files nisplus nis dns
hosts:      files winbind
 
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
 
bootparams: nisplus [NOTFOUND=return] files
 
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
 
netgroup:   files winbind
 
publickey:  nisplus
 
automount:  files winbind
aliases:    files nisplus

cat /etc/resolv.conf

search DOMAIN.NAME
nameserver 192.168.16.3 (also the PDC)

thor:/var/log/samba# cat /etc/hosts
127.0.0.1       localhost.localdomain   localhost
192.168.16.4    thor.DOMAIN.NAME      thor
192.168.16.3    server01.DOMAIN.NAME  server01

thor:/var/log/samba# kinit administrator@
<mailto:administrator@DOMAIN.NAME>
DOMAIN.NAME
 <mailto:administrator@MOMACUK.LOCAL's> administrator@
<mailto:administrator@DOMAIN.NAME> DOMAIN.NAME
<mailto:administrator@MOMACUK.LOCAL's> 's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
 
thor:/var/log/samba# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = DOMAIN.NAME
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 krb4_get_tickets = false
[realms]
 DOMAIN.NAME = {
  kdc = server01:88
 }
 
[domain_realm]
 .server01 = DOMAIN.NAME
 server01 = DOMAIN.NAME
 
[kdc]
 profile = /var/lib/heimdal-kdc/kdc.conf
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Gerald (Jerry) Carter

2007-Apr-04 15:18 UTC

head link

[Samba] Failed to verify incoming ticket! When clients use netbios names only!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

m.bland wrote:
> thor:/var/log/samba# cat /etc/samba/smb.conf
> [global]
> workgroup = DOMAIN
> realm = DOMAIN
Are these really the same value ?

...
> thor:/var/log/samba# cat /etc/krb5.conf
> [libdefaults]
>  default_realm = DOMAIN.NAME





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8GbIR7qMdg1EfYRAuqRAKCQXy8POjaFF9IyvZjpInVG08j2vwCgyYEF
wR6kgQb/nFF7t3DppDHWyVQ=ye1d
-----END PGP SIGNATURE-----

Apparently Analagous Threads

Search for more reasonably related threads

samba - Apr 2007 - Failed to verify incoming ticket! When clients use netbios names only!

[Samba] Failed to verify incoming ticket! When clients use netbios names only!

[Samba] Failed to verify incoming ticket! When clients use netbios names only!

Apparently Analagous Threads