Re: [Samba] s3 connect to s4 ads woes, need guidance..

Aaron E. Fri, 04 May 2012 13:18:17 -0700

I found the issue was with kerberos,, I compiled from source kerberosand linked s3 to it .. set everythying up and it works .. (found thisresolution through google.. )

I assume that I'll have to do this since ubuntu doesn't update theirpackages .. lts my arse!! Might be time to switch server distros as Irun across this more and more as time goes on..



On 05/04/2012 11:54 AM, Aaron E. wrote:

I would like to add that kinit works just fine also..

On 05/04/2012 11:51 AM, Aaron E. wrote:

I'm beating my head up against the wall here.. Need some extra eyes!!!

Setup -- Samba4 Domain Controller and samba3 print server.. DNS
FlatFile,, All dns works..

Issue, When I browse to the print Server vi \\IP-Address I am able to
connect just fine.. When I browse using \\netbios-name I connect to the
server but it opens up a username/pass dialog box and no name or
passwords will work..

wbinfo -g / -u work fine.. getent passwd/group works perfectly..
I get the following snippet in the log file.. With smb.conf and
krb5.conf following that..


setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2012/05/04 11:45:29, 3]
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/05/04 11:45:29, 3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29, 3]
libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/05/04 11:45:29, 3] smbd/process.c:1459(process_smb)
Transaction 2 of length 1764 (0 toread)
[2012/05/04 11:45:29, 3] smbd/process.c:1273(switch_message)
switch message SMBsesssetupX (pid 14493) conn 0x0
[2012/05/04 11:45:29, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/04 11:45:29, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/05/04 11:45:29, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2012/05/04 11:45:29, 3]
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/05/04 11:45:29, 3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29, 3]
libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/05/04 11:45:29, 3] smbd/process.c:1459(process_smb)
Transaction 3 of length 1764 (0 toread)
[2012/05/04 11:45:29, 3] smbd/process.c:1273(switch_message)
switch message SMBsesssetupX (pid 14493) conn 0x0
[2012/05/04 11:45:29, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/05/04 11:45:29, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/05/04 11:45:29, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2012/05/04 11:45:29, 3]
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/05/04 11:45:29, 3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/05/04 11:45:29, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1619
[2012/05/04 11:45:29, 3]
libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2012/05/04 11:45:29, 3] libads/kerberos_verify.c:568(ads_verify_ticket)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2012/05/04 11:45:29, 1] smbd/sesssetup.c:342(reply_spnego_kerberos)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2012/05/04 11:45:29, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(344) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE


SMB.CONF
[global]
workgroup = ASTROINTERNAL
realm = ASTROINTERNAL.COM
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
printcap name = cups
printing = cups
allow trusted domains = yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
#idmap backend = "ASTROINTERNAL=10000-19999"
idmap uid = 1000-20000
idmap gid = 1000-20000
;template primary group = "Domain Users"
template shell = /bin/bash

KRB5.CONF
[libdefaults]
default_realm = ASTROINTERNAL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[realms]
ASTROINTERNAL.COM = {
kdc = astrodc1.astrointernal.com
admin_server = astrodc1.astrointernal.com
default_domain = astroshapes.com
}

[domain_realm]
.astrointernal.com = ASTROINTERNAL.COM
astrointernal.com = ASTROINTERNAL.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] s3 connect to s4 ads woes, need guidance..

Reply via email to