[Samba] s3 connect to s4 ads woes, need guidance..

Fri, 04 May 2012 08:52:41 -0700 

I'm beating my head up against the wall here.. Need some extra eyes!!!
Setup -- Samba4 Domain Controller and samba3 print server.. DNS FlatFile,, All dns works..
Issue, When I browse to the print Server vi \\IP-Address I am able to connect just fine.. When I browse using \\netbios-name I connect to the server but it opens up a username/pass dialog box and no name or passwords will work.. 

wbinfo  -g / -u work fine.. getent passwd/group works perfectly..
I get the following snippet in the log file.. With smb.conf and krb5.conf following that..
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/05/04 11:45:29, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) 
  Doing spnego session setup
[2012/05/04 11:45:29, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) 
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:786(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed 
[2012/05/04 11:45:29,  3] libads/kerberos_verify.c:568(ads_verify_ticket)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29,  3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE 
[2012/05/04 11:45:29,  3] smbd/process.c:1459(process_smb)
  Transaction 2 of length 1764 (0 toread)
[2012/05/04 11:45:29,  3] smbd/process.c:1273(switch_message)
  switch message SMBsesssetupX (pid 14493) conn 0x0
[2012/05/04 11:45:29,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2012/05/04 11:45:29,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/05/04 11:45:29, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) 
  Doing spnego session setup
[2012/05/04 11:45:29, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) 
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:786(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed 
[2012/05/04 11:45:29,  3] libads/kerberos_verify.c:568(ads_verify_ticket)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29,  3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE 
[2012/05/04 11:45:29,  3] smbd/process.c:1459(process_smb)
  Transaction 3 of length 1764 (0 toread)
[2012/05/04 11:45:29,  3] smbd/process.c:1273(switch_message)
  switch message SMBsesssetupX (pid 14493) conn 0x0
[2012/05/04 11:45:29,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2012/05/04 11:45:29,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/05/04 11:45:29, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) 
  Doing spnego session setup
[2012/05/04 11:45:29, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) 
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29,  3] smbd/sesssetup.c:786(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed 
[2012/05/04 11:45:29,  3] libads/kerberos_verify.c:568(ads_verify_ticket)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29,  3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE 


SMB.CONF
[global]
   workgroup = ASTROINTERNAL
   realm = ASTROINTERNAL.COM
   preferred master = no
   server string = Linux Test Machine
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m.log
   max log size = 50
   printcap name = cups
   printing = cups
   allow trusted domains = yes
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind separator = +
   #idmap backend = "ASTROINTERNAL=10000-19999"
   idmap uid = 1000-20000
   idmap gid = 1000-20000
   ;template primary group = "Domain Users"
   template shell = /bin/bash

KRB5.CONF
[libdefaults]
        default_realm = ASTROINTERNAL.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[realms]
        ASTROINTERNAL.COM = {
        kdc = astrodc1.astrointernal.com
        admin_server = astrodc1.astrointernal.com
        default_domain = astroshapes.com
        }

[domain_realm]
        .astrointernal.com = ASTROINTERNAL.COM
        astrointernal.com = ASTROINTERNAL.COM

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to