On Wed, 2012-10-03 at 10:28 +0400, Dmitry Khromov wrote: > Hello. > Samba 4.1.0pre1-GIT-aad669b, joined as a DC to an existing domain. Windows 7 > machines may fail to get a ticket: > > [2012/10/03 09:31:54, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ [email protected] from ipv4:192.168.1.138:49682 > for krbtgt/[email protected] > [2012/10/03 09:31:54, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: encrypted-timestamp, 128 > [2012/10/03 09:31:54, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- [email protected] > [2012/10/03 09:31:54, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- [email protected] > [2012/10/03 09:31:54, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Failed to decrypt PA-DATA -- [email protected] (enctype > aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum > type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 > [2012/10/03 09:31:54, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Failed to decrypt PA-DATA -- [email protected] > [2012/10/03 09:31:54, 3] > ../source4/smbd/service_stream.c:63(stream_terminate_connection) > Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_DISCONNECTED' > [2012/10/03 09:31:54, 3] > ../source4/smbd/process_single.c:104(single_terminate) > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - > NT_STATUS_CONNECTION_DISCONNECTED]
This certainly is a worry, but perhaps you can get me some more detail: What happens when this error occurs? Does something fail on the client? Is this only shortly after a machine account password change, and pending replication? Does the client retry with the previous machine account password? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
