thr3ads.net - samba - [Samba] samba authenticating users via kerberos failure [Mar 2012]

If this information is useful, please help other people find it:
Share via:

Christopher Chan

2012-Mar-30 09:40 UTC

[Samba] samba authenticating users via kerberos failure

When users try to access the samba server via \\shortname, they get a 
dialog prompting them for their username and password. Access via 
\\ip.addr does not exhibit that though.

samba 3.5.13 + winbind + idmap_ldap backend

Logs from samba during attempts to access via \\shortname:

 From log.clientip
[2012/03/30 17:27:46.502131,  1] 
../../../samba-3.5.13/source3/smbd/sesssetup.c:332()
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

 From log.winbindd
[2012/03/30 17:27:01.538840,  6] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
   accepted socket 21
[2012/03/30 17:27:01.539159, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
   process_request: request fn INTERFACE_VERSION
[2012/03/30 17:27:01.539244,  3] 
../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:352()
   [14121]: request interface version
[2012/03/30 17:27:01.539382, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
   winbind_client_response_written[14121:INTERFACE_VERSION]: deliverd 
response to client
[2012/03/30 17:27:01.539525, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
   process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/03/30 17:27:01.539595,  3] 
../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:385()
   [14121]: request location of privileged pipe
[2012/03/30 17:27:01.539755, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
   winbind_client_response_written[14121:WINBINDD_PRIV_PIPE_DIR]: 
deliverd response to client
[2012/03/30 17:27:01.540017,  6] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
   accepted socket 30
[2012/03/30 17:27:01.540160,  6] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
   closing socket 21, client exited
[2012/03/30 17:27:01.540332, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
   process_request: Handling async request 14121:GETGROUPS
[2012/03/30 17:27:01.540408,  3] 
../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:60()
   getgroups root
[2012/03/30 17:27:01.540646,  5] 
../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:187()
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2012/03/30 17:27:01.540733, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
   wb_request_done[14121:GETGROUPS]: NT_STATUS_NONE_MAPPED
[2012/03/30 17:27:01.540866, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
   winbind_client_response_written[14121:GETGROUPS]: deliverd response 
to client
[2012/03/30 17:27:01.541252, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
   process_request: Handling async request 14121:GETGROUPS
[2012/03/30 17:27:01.541333,  3] 
../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:60()
   getgroups root
[2012/03/30 17:27:01.541513,  5] 
../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:187()
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2012/03/30 17:27:01.541588, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
   wb_request_done[14121:GETGROUPS]: NT_STATUS_NONE_MAPPED
[2012/03/30 17:27:01.541706, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
   winbind_client_response_written[14121:GETGROUPS]: deliverd response 
to client
[2012/03/30 17:27:01.546385,  6] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
   closing socket 30, client exited
[2012/03/30 17:27:10.089633,  6] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
   accepted socket 21
[2012/03/30 17:27:10.089909, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
   process_request: request fn INTERFACE_VERSION
[2012/03/30 17:27:10.089985,  3] 
../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:352()
   [14124]: request interface version
[2012/03/30 17:27:10.090116, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
   winbind_client_response_written[14124:INTERFACE_VERSION]: deliverd 
response to client
[2012/03/30 17:27:10.090248, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
   process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/03/30 17:27:10.090317,  3] 
../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:385()
   [14124]: request location of privileged pipe
[2012/03/30 17:27:10.090474, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
   winbind_client_response_written[14124:WINBINDD_PRIV_PIPE_DIR]: 
deliverd response to client
[2012/03/30 17:27:10.090775,  6] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
   accepted socket 30
[2012/03/30 17:27:10.090910,  6] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
   closing socket 21, client exited
[2012/03/30 17:27:10.091091, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
   process_request: Handling async request 14124:GETPWNAM
[2012/03/30 17:27:10.091183,  3] 
../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:55()
   getpwnam mailnull
[2012/03/30 17:27:10.091329, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd_cache.c:4805()
   Entry has timed out
[2012/03/30 17:27:10.096324,  5] 
../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:138()
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2012/03/30 17:27:10.096456, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
   wb_request_done[14124:GETPWNAM]: NT_STATUS_NONE_MAPPED
[2012/03/30 17:27:10.096618, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
   winbind_client_response_written[14124:GETPWNAM]: deliverd response to 
client
[2012/03/30 17:27:10.096905, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
   process_request: Handling async request 14124:GETPWNAM
[2012/03/30 17:27:10.096982,  3] 
../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:55()
   getpwnam sendmail
[2012/03/30 17:27:10.097107, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd_cache.c:4800()
   Entry has wrong sequence number: 15036703
[2012/03/30 17:27:10.100185,  5] 
../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:138()
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2012/03/30 17:27:10.100324, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
   wb_request_done[14124:GETPWNAM]: NT_STATUS_NONE_MAPPED
[2012/03/30 17:27:10.100483, 10] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
   winbind_client_response_written[14124:GETPWNAM]: deliverd response to 
client
[2012/03/30 17:27:10.115875,  6] 
../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
   closing socket 30, client exited

 From log.winbindd-dc
[2012/03/30 17:27:39.657484,  0] 
../../../samba-3.5.13/source3/lib/util_sock.c:1441()
   getpeername failed. Error was Transport endpoint is not connected

Does anybody have any idea just what the problem is? It was working fine 
with version 3.5.5 until it maxxed out the gid range but upgrading to 
3.5.13 has not fixed the problem even though 3.5.13 has a winbind bug 
fix that stops it from continually allocating new gids.

Christopher Chan

2012-Apr-02 04:45 UTC

head link

[Samba] samba authenticating users via kerberos failure

On Friday, March 30, 2012 05:40 PM, Christopher Chan
wrote:> When users try to access the samba server via \\shortname, they get a 
> dialog prompting them for their username and password. Access via 
> \\ip.addr does not exhibit that though.
>
> samba 3.5.13 + winbind + idmap_ldap backend
>
> Logs from samba during attempts to access via \\shortname:
>
> From log.clientip
> [2012/03/30 17:27:46.502131,  1] 
> ../../../samba-3.5.13/source3/smbd/sesssetup.c:332()
>   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>
> From log.winbindd
> [2012/03/30 17:27:01.538840,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
>   accepted socket 21
> [2012/03/30 17:27:01.539159, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
>   process_request: request fn INTERFACE_VERSION
> [2012/03/30 17:27:01.539244,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:352()
>   [14121]: request interface version
> [2012/03/30 17:27:01.539382, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14121:INTERFACE_VERSION]: deliverd 
> response to client
> [2012/03/30 17:27:01.539525, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
>   process_request: request fn WINBINDD_PRIV_PIPE_DIR
> [2012/03/30 17:27:01.539595,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:385()
>   [14121]: request location of privileged pipe
> [2012/03/30 17:27:01.539755, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14121:WINBINDD_PRIV_PIPE_DIR]: 
> deliverd response to client
> [2012/03/30 17:27:01.540017,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
>   accepted socket 30
> [2012/03/30 17:27:01.540160,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
>   closing socket 21, client exited
> [2012/03/30 17:27:01.540332, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
>   process_request: Handling async request 14121:GETGROUPS
> [2012/03/30 17:27:01.540408,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:60()
>   getgroups root
> [2012/03/30 17:27:01.540646,  5] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:187()
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.540733, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
>   wb_request_done[14121:GETGROUPS]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.540866, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14121:GETGROUPS]: deliverd response 
> to client
> [2012/03/30 17:27:01.541252, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
>   process_request: Handling async request 14121:GETGROUPS
> [2012/03/30 17:27:01.541333,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:60()
>   getgroups root
> [2012/03/30 17:27:01.541513,  5] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getgroups.c:187()
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.541588, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
>   wb_request_done[14121:GETGROUPS]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:01.541706, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14121:GETGROUPS]: deliverd response 
> to client
> [2012/03/30 17:27:01.546385,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
>   closing socket 30, client exited
> [2012/03/30 17:27:10.089633,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
>   accepted socket 21
> [2012/03/30 17:27:10.089909, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
>   process_request: request fn INTERFACE_VERSION
> [2012/03/30 17:27:10.089985,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:352()
>   [14124]: request interface version
> [2012/03/30 17:27:10.090116, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14124:INTERFACE_VERSION]: deliverd 
> response to client
> [2012/03/30 17:27:10.090248, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:620()
>   process_request: request fn WINBINDD_PRIV_PIPE_DIR
> [2012/03/30 17:27:10.090317,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_misc.c:385()
>   [14124]: request location of privileged pipe
> [2012/03/30 17:27:10.090474, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14124:WINBINDD_PRIV_PIPE_DIR]: 
> deliverd response to client
> [2012/03/30 17:27:10.090775,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:768()
>   accepted socket 30
> [2012/03/30 17:27:10.090910,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
>   closing socket 21, client exited
> [2012/03/30 17:27:10.091091, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
>   process_request: Handling async request 14124:GETPWNAM
> [2012/03/30 17:27:10.091183,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:55()
>   getpwnam mailnull
> [2012/03/30 17:27:10.091329, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_cache.c:4805()
>   Entry has timed out
> [2012/03/30 17:27:10.096324,  5] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:138()
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.096456, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
>   wb_request_done[14124:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.096618, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14124:GETPWNAM]: deliverd response 
> to client
> [2012/03/30 17:27:10.096905, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:593()
>   process_request: Handling async request 14124:GETPWNAM
> [2012/03/30 17:27:10.096982,  3] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:55()
>   getpwnam sendmail
> [2012/03/30 17:27:10.097107, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_cache.c:4800()
>   Entry has wrong sequence number: 15036703
> [2012/03/30 17:27:10.100185,  5] 
> ../../../samba-3.5.13/source3/winbindd/winbindd_getpwnam.c:138()
>   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.100324, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:655()
>   wb_request_done[14124:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2012/03/30 17:27:10.100483, 10] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:716()
>   winbind_client_response_written[14124:GETPWNAM]: deliverd response 
> to client
> [2012/03/30 17:27:10.115875,  6] 
> ../../../samba-3.5.13/source3/winbindd/winbindd.c:816()
>   closing socket 30, client exited
>
> From log.winbindd-dc
> [2012/03/30 17:27:39.657484,  0] 
> ../../../samba-3.5.13/source3/lib/util_sock.c:1441()
>   getpeername failed. Error was Transport endpoint is not connected
>
> Does anybody have any idea just what the problem is? It was working 
> fine with version 3.5.5 until it maxxed out the gid range but 
> upgrading to 3.5.13 has not fixed the problem even though 3.5.13 has a 
> winbind bug fix that stops it from continually allocating new gids.
log level = 10

[2012/04/02 12:41:36.727903, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at
BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728153, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at
BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728301, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at
BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728401, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at
BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728534, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at
BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728638, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1.bradbury.lan at
BRADBURY.LAN)
failed: Wrong principal in request
[2012/04/02 12:41:36.728772, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.728907, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729044, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(host/bradsuper1 at BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729178, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729310, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729445, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:221()
   ads_keytab_verify_ticket: 
krb5_rd_req_return_keyblock_from_keytab(BRADSUPER1$@BRADBURY.LAN) 
failed: Wrong principal in request
[2012/04/02 12:41:36.729572,  3] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:267()
   ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched 
keytab principals
[2012/04/02 12:41:36.729750,  3] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:589()
   ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in 
request)
[2012/04/02 12:41:36.729832, 10] 
../../../samba-3.5.13/source3/libads/kerberos_verify.c:598()
   ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
[2012/04/02 12:41:36.729994,  1] 
../../../samba-3.5.13/source3/smbd/sesssetup.c:332()
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/04/02 12:41:36.730087,  3] 
../../../samba-3.5.13/source3/smbd/error.c:80()
   error packet at ../../../samba-3.5.13/source3/smbd/sesssetup.c(334) 
cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

What does this mean? A configuration problem?

Christopher Chan

2012-Apr-03 05:56 UTC

head link

[Samba] samba authenticating users via kerberos failure

On Monday, April 02, 2012 12:45 PM, Christopher Chan
wrote:> On Friday, March 30, 2012 05:40 PM, Christopher Chan wrote: What does 
> this mean? A configuration problem?
Yep. thanks to Andrew Barlett, the problem was identified as kerberos 
method = system tab.

Switching back to default solved it.

samba - Mar 2012 - samba authenticating users via kerberos failure

[Samba] samba authenticating users via kerberos failure

[Samba] samba authenticating users via kerberos failure

[Samba] samba authenticating users via kerberos failure