[Samba] Re: BUG 1717 [was Re: Re: Samba 3.0.6 Problems w/AD and Kerberos]

Mon, 13 Sep 2004 07:03:49 -0700 

Gerald (Jerry) Carter wrote:

> Josh T wrote:
> |
> | I then downloaded and compiled Samba 3.0.5 and
> | set it up.  It was working last night, however
> | this morning I started having the same problems...
>
> Are the clocks drifting out of sync perhaps ?  Can
> you send me a level 10 debug log of the complete
> failure?  Please also include your /etc/krb5.conf
> and smb.conf file.  Thanks.
>

Unfortunately, since it was a VMWare test machine, I have already reverted back to the clean install. I then used the 3.0.5 debian packages & Debian 1.2.4 MIT kerberos rather than locally compiling anything and its been working fine, so maybe I did something wrong or missed something when I downgraded the 3.0.6 to 3.0.5.

Anyway, I just upgraded the test machine via Debian packages to 3.0.6 and it definately breaks - log and config files follow. Let me know if there's anything I can do to help figure this out. (Jerry - I can privately mail you full logs, etc. if you still want them - corporate policy makes me cautious in posting anything with real names/ip addresses/etc.)

Josh

(snippet from log level = 10 log.ipaddress of a Windows 2000 SP 4 client)

[2004/09/13 09:00:21, 10] lib/util.c:name_to_fqdn(2501)
name_to_fqdn: lookup for VIRTUALSMB -> VIRTUALSMB.mydomain.local.
[2004/09/13 09:00:21, 10] passdb/secrets.c:secrets_named_mutex(701)
secrets_named_mutex: got mutex for replay cache mutex
[2004/09/13 09:00:21, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type
[2004/09/13 09:00:21, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type
[2004/09/13 09:00:21, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed
[2004/09/13 09:00:21, 10] passdb/secrets.c:secrets_named_mutex_release(713)
secrets_named_mutex: released mutex for replay cache mutex
[2004/09/13 09:00:21, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2004/09/13 09:00:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/09/13 09:00:21, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE



### Here is the result of "klist tickets" on the W2K client:
   Server: krbtgt/[EMAIL PROTECTED]
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 9/13/2004 17:24:18
      Renew Time: 9/13/2004 10:24:18

   Server: HOST/[EMAIL PROTECTED]
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 9/13/2004 10:24:18
      Renew Time: 9/13/2004 10:24:18



#### Here is /etc/samba/smb.conf:
[global]
        workgroup = MYDOMAIN
        netbios name = VIRTUALSMB
        security = ADS
        realm = MYDOMAIN.LOCAL
        encrypt passwords = true
        password server = DC1.MYDOMAIN.LOCAL
        hosts allow = 192.168.1. 127.
        log file = /var/log/samba/log.%m
        log level = 3
        winbind separator = +
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

[data]
        comment = Data Files
        path = /data
        read only = no
        admin users = "@Domain Admins"

### Here is /etc/krb5.conf:
[libdefaults]
        default_realm = MYDOMAIN.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }

[realms]
MORTONSS109.LOCAL = {
         kdc = DC1.MYDOMAIN.LOCAL
         kdc = DC2.MYDOMAIN.LOCAL
        admin_server = DC1.MYDOMAIN.LOCAL
}

        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                kdc = kerberos-3.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }
        CYGNUS.COM = {
                kdc = KERBEROS.CYGNUS.COM
                kdc = KERBEROS-1.CYGNUS.COM
                admin_server = KERBEROS.CYGNUS.COM
        }
        GREY17.ORG = {
                kdc = kerberos.grey17.org
                admin_server = kerberos.grey17.org
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
        }
        DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu

[login]
        krb4_convert = true
        krb4_get_tickets = true






--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to