samba - Jan 2009 - Samba 3.2.7 and XP authentication error

List,

Long and confusing message follows...
I'm facing a frustrating problem. XP clients can use resoures on the
samba server by IP-address, but not by name. So, "net view
\\servername"
gives "access denied" but "net view \\ipaddress" gives list
of shared
resources. 

Samba server (3.2.7 sernet rpm) is a member server in W2003 domain. 

I emphasise that with version 3.2.2 or 3.2.3 (around Oct..Nov 2007) and
exactly same configuration everything did work perfectly. After that
there has been a couple months worth of win hotfixes and upgrade to
3.2.7. 
I did read the change texts, but didn't find a clue there.


Below is level 5 log when client does "net view":

[2009/01/28 11:03:39,  3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2009/01/28 11:03:39,  3]
libads/kerberos_verify.c:ads_verify_ticket(458)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2009/01/28 11:03:39,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

I foud a entry in bugzilla
(https://bugzilla.samba.org/show_bug.cgi?id=1010). The symptoms are the
same but I do not have "permitted enctypes" defined in the krb5.conf.
Like in the bugzilla entry, command line authentication works, but
somehow samba just cant use it.

# wbinfo -a userid%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Samba does not try to communicate with the domain controllers when
client does "net view". Here's a capture of what happens
(192.168.2.6 is
the samba server and .128 is the xp client):
Capturing on eth0
  0.000000 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [SYN,
ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 WS=7
  0.000792 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [ACK]
Seq=1 Ack=137 Win=54 Len=0
  0.003626 192.168.2.6 -> 192.168.2.128 SMB Negotiate Protocol Response
  0.004591 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [ACK]
Seq=197 Ack=1729 Win=100 Len=0
  0.006558 192.168.2.6 -> 192.168.2.128 SMB Session Setup AndX Response,
Error: STATUS_LOGON_FAILURE

Samba should have asked authentication from the AD DC, right?
So I think that the tickets are cached somewhere. But where? And if they
are, how to purge the tickets? As root only ticket klist is the one
which was used when the system was setup. Deleting that ticket and
renewing does not help.

------------------------------
smb.conf:
[global]
        log level = 5
        server string = IT-testi (Samba 3.2.7)
        workgroup = WG-NAME
        load printers = no
        realm = ORG.LOCAL
        security = ads
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        idmap domains = WG-NAME
        idmap config WG-NAME:default = yes
        idmap config WG-NAME:backend = rid
        idmap config WG-NAME:range = 100-200000
        ifmap config WG-NAME:base_rid = 1
        allow trusted domains = no
        winbind refresh tickets = true
        inherit permissions = yes

------------------------------
krb5.conf
kerberos works via DNS. This is based on an article (which I can't
locate at the moment) in samba wiki.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ORG.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 76h
 forwardable = yes

[realms]

[domain_realm]

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }



Any help is appreciated.


Harri

i had a similar problem on 3.0.25 or so and up, and putting msdfs root = 
yes in the global section fixed it for me.

Waltari Harri wrote:
> List,
>
> Long and confusing message follows...
> I'm facing a frustrating problem. XP clients can use resoures on the
> samba server by IP-address, but not by name. So, "net view
\\servername"
> gives "access denied" but "net view \\ipaddress" gives
list of shared
> resources. 
>
> Samba server (3.2.7 sernet rpm) is a member server in W2003 domain. 
>
> I emphasise that with version 3.2.2 or 3.2.3 (around Oct..Nov 2007) and
> exactly same configuration everything did work perfectly. After that
> there has been a couple months worth of win hotfixes and upgrade to
> 3.2.7. 
> I did read the change texts, but didn't find a clue there.
>
>
> Below is level 5 log when client does "net view":
>
> [2009/01/28 11:03:39,  3]
> libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
>   ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2009/01/28 11:03:39,  3]
> libads/kerberos_verify.c:ads_verify_ticket(458)
>   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2009/01/28 11:03:39,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
>   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>
> I foud a entry in bugzilla
> (https://bugzilla.samba.org/show_bug.cgi?id=1010). The symptoms are the
> same but I do not have "permitted enctypes" defined in the
krb5.conf.
> Like in the bugzilla entry, command line authentication works, but
> somehow samba just cant use it.
>
> # wbinfo -a userid%password
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> Samba does not try to communicate with the domain controllers when
> client does "net view". Here's a capture of what happens
(192.168.2.6 is
> the samba server and .128 is the xp client):
> Capturing on eth0
>   0.000000 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644
[SYN,
> ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 WS=7
>   0.000792 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644
[ACK]
> Seq=1 Ack=137 Win=54 Len=0
>   0.003626 192.168.2.6 -> 192.168.2.128 SMB Negotiate Protocol Response
>   0.004591 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644
[ACK]
> Seq=197 Ack=1729 Win=100 Len=0
>   0.006558 192.168.2.6 -> 192.168.2.128 SMB Session Setup AndX Response,
> Error: STATUS_LOGON_FAILURE
>
> Samba should have asked authentication from the AD DC, right?
> So I think that the tickets are cached somewhere. But where? And if they
> are, how to purge the tickets? As root only ticket klist is the one
> which was used when the system was setup. Deleting that ticket and
> renewing does not help.
>
> ------------------------------
> smb.conf:
> [global]
>         log level = 5
>         server string = IT-testi (Samba 3.2.7)
>         workgroup = WG-NAME
>         load printers = no
>         realm = ORG.LOCAL
>         security = ads
>         winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         idmap domains = WG-NAME
>         idmap config WG-NAME:default = yes
>         idmap config WG-NAME:backend = rid
>         idmap config WG-NAME:range = 100-200000
>         ifmap config WG-NAME:base_rid = 1
>         allow trusted domains = no
>         winbind refresh tickets = true
>         inherit permissions = yes
>
> ------------------------------
> krb5.conf
> kerberos works via DNS. This is based on an article (which I can't
> locate at the moment) in samba wiki.
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = ORG.LOCAL
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  ticket_lifetime = 76h
>  forwardable = yes
>
> [realms]
>
> [domain_realm]
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
>
>
>
> Any help is appreciated.
>
>
> Harri
>