[Samba] Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE
Hi. I we are migrating form domain ad.adc.com to ad.xyz.com , there is a trust between the two domains. Before the move the file server was work perfectly, post migration I get the following in the samba logs [2013/08/19 08:07:15.961679, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 08:07:25.983662, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.01.168 read error = NT_STATUS_CONNECTION_RESET. [2013/08/19 11:19:26.308406, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 11:19:26.355646, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 11:19:39.835641, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.01.168 read error = NT_STATUS_CONNECTION_RESET. And on the windows client I get prompted for username and password , It won't accept any of the ones I have provided. My workstation and the others that can’t access it are all on the new domain as the file server (ad.xyz.com) I have a number of other file servers migrated to ad.xyz.com and they are fine. I have googled and found the issue is related to Kerberos. I have update the dns to ensure that the servers hostname resolves correctly in both forward and reverse lookups. I have noted that /etc/krb5.conf is very different between the working servers and the broken one , but I don’t know much about Kerberos so I’m lost. I have update to : pbis : 7.0.918 samba :3.6.6-0.129.el5 krb5 : 1.6.1-70.el5_9.2 OS is CentOS 5.3 Clients are windows 7 Any suggestions on how to resolve this ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Failed to verify incoming ticket! with Windows 2003 Server
Hi, all! I have the following environment here: - A Windows 2000 domain, with one server running Windows 2003 Server - A kerberos realm, using MIT Kerberos - A samba server, with security=ads The Windows 2003 server have a trust relationship with the MIT kerberos realm. Users logs on that kerberos realm on their Windows workstations, and are supposed to have access to the shares at samba server. All of it was working perfectly until some weeks ago, when the samba server had a hardware failure. The OS was re-installed (Fedora Core 6), the server was re-joined to the windows domain, but, now, when the users tryies to access the shares, they get a window asking for username and password, and the following appears at samba's log: -- [2007/05/05 19:42:53, 10] passdb/secrets.c:secrets_named_mutex(779) secrets_named_mutex: got mutex for replay cache mutex [2007/05/05 19:42:53, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(261) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2007/05/05 19:42:53, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(261) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type [2007/05/05 19:42:53, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(261) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type [2007/05/05 19:42:53, 10] passdb/secrets.c:secrets_named_mutex_release(791) secrets_named_mutex: released mutex for replay cache mutex [2007/05/05 19:42:53, 3] libads/kerberos_verify.c:ads_verify_ticket(399) ads_verify_ticket: krb5_rd_req with auth failed (Success) [2007/05/05 19:42:53, 1] smbd/sesssetup.c:reply_spnego_kerberos(202) Failed to verify incoming ticket! [2007/05/05 19:42:53, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(204) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE -- I also tried using a samba server that was compiled against Heimdal kerberos, but the result was the same. Tryied to generate the windows server's keytab entry with 'ktpass', and import it at samba server's keytab (setting use kerberos keytab = yes at smb.conf), but the problem remains. When I try to access the samba share via smbclient, I get: -- smbclient -k //server/share Doing spnego session setup (blob length=117) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/[EMAIL PROTECTED] Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Sun, 06 May 2007 05:53:09 BRT ads_krb5_mk_req: Ticket (cifs/[EMAIL PROTECTED]) in ccache (FILE:/tmp/krb5cc_0) is valid until: (Sun, 06 May 2007 05:53:09 BRT - 1178441589) Got KRB5 session key of length 16 write_socket(5,1364) write_socket(5,1364) wrote 1364 read_socket_with_timeout: timeout read. EOF from client. receive_smb_raw: length 0! client_receive_smb failed size=0 -- and a login failed message. After the try, se following principals get cached: Valid starting ExpiresService principal 05/05/07 19:53:04 05/06/07 19:53:03 krbtgt/[EMAIL PROTECTED] 05/05/07 19:53:09 05/06/07 19:53:03 krbtgt/[EMAIL PROTECTED] 05/05/07 19:53:09 05/06/07 05:53:09 cifs/[EMAIL PROTECTED] The only way our users can access the shares at samba server is logging in at the Windows 2003 domain. Googling arround, I found various issues concerning incompatibilities between Windows 2003 and samba/kerberos tickets. I tryied various suggestions - such as forcing the samba server's computer account at windows 2003 to use only DES crypt, mapping the computer account to an user account and so on, but none of them worked for me. Some idea? (sorry the large e-mail - and my bad english) Tnks in advice! Rodolfo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi, the Failed to join domain: Type or value exists is caused, when the machine_name is equal to the fqdn. This is the case, e.g. if the /etc/hosts file contains only the short name. The server reports the error and net aborts although the join itself was successfull. There are serveral issues with the hostname vs. domainname thing under linux. E.g. the missing driver listings when using the fqdn accessing the samba server. I've added a getdomainname() call in the get_mydnsfullname() function in lib/util.c if the gethostname() call does not contain a .. Then the comparison in is_myname() succeeds and the drivers are listed. But the manpage says, getdomainname() is *not* POSIX. So this all might end in a configuration issue of the hostname. Regards, ~ Martin Hansjörg Maurer schrieb: Hi we see the similar messages too. Gerald (Jerry) Carter wrote: m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? do they have to? When I try to set them to the same value I get the following message when joining the domain. [EMAIL PROTECTED] root]# net ads join -U Admin Admin's password: The workgroup in /etc/samba/smb.conf does not match the short domain name obtained from the server. Using the name [DOMNAME] from the server. You should set workgroup = DOMNAME in /etc/samba/smb.conf. Using short domain name -- DOMNAME Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'REALM' Failed to join domain: Type or value exists But we have a DNS not matching the REALM. Could this lead to this problem? (the above join only works with net rpc join, even while User Admin has full rights on the domain) Greetings hansjörg ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -- Martin Zielinski [EMAIL PROTECTED] Software Development SEH Computertechnik GmbH www.seh.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi we see the similar messages too. Gerald (Jerry) Carter wrote: m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? do they have to? When I try to set them to the same value I get the following message when joining the domain. [EMAIL PROTECTED] root]# net ads join -U Admin Admin's password: The workgroup in /etc/samba/smb.conf does not match the short domain name obtained from the server. Using the name [DOMNAME] from the server. You should set workgroup = DOMNAME in /etc/samba/smb.conf. Using short domain name -- DOMNAME Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'REALM' Failed to join domain: Type or value exists But we have a DNS not matching the REALM. Could this lead to this problem? (the above join only works with net rpc join, even while User Admin has full rights on the domain) Greetings hansjörg ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -- _ Deutsches Zentrum fuer Luft- und Raumfahrt e.V. in der Helmholtz-Gemeinschaft Institut fuer Robotik und Mechatronik Dr. Hansjörg Maurer LAN- und Systemmanager Münchner Strasse 20 82234 Wessling Germany Telefon: 08153/28-2431 Telefax: 08153/28-1134 E-Mail: [EMAIL PROTECTED] Internet: http://www.robotic.dlr.de/ __ There are 10 types of people in this world, those who understand binary and those who don't. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi, I have set up our samba box in 'ADS' mode; the problem I have is clients connecting to the server can not do so by using its netbios name. Only when they use the IP address of the machine are they able to be authenticated and browse the box. When clients connect via the netbios name this message will appear in my samba logs with the IP of the connecting client; smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! Additionally, If a client connects successfully via the IP of the samba server, the log file is named in the clients netbios name rather than their IP. eg machinenetbiosname.log will contain [2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642) netbiosnameofmachine (192.168.16.203) signed connect to service data initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329) Can some one tell me what's happening here? ;) thor:/var/log/samba# cat /etc/samba/smb.conf [global] winbind use default domain = yes winbind separator = + client use spnego = yes use spnego = yes server signing = auto client signing = auto netbios name = THOR idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash workgroup = DOMAIN server string = Thor security = ads hosts allow = 192.168.16. load printers = no cups options = raw log file = /var/log/samba/%m.log max log size = 50 password server = SERVER01 encrypt passwords = yes realm = DOMAIN passdb backend = tdbsam local master = no domain master = no wins support = no wins server = 192.168.16.3 dns proxy = no hostname lookups = yes name resolve order = lmhosts host wins dns bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [data] comment = path = /data Valid Users = +DOMAIN+domain users writeable = yes browseable = yes [ftp] comment = FTP area path = /data/ftp Valid Users = +DOMAIN+domain users writeable = yes browseable = yes thor:/var/log/samba# wbinfo -u works! wbinfo -g works passwd: files winbind shadow: files winbind group: files winbind #hosts: db files nisplus nis dns hosts: files winbind # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind rpc:files services: files winbind netgroup: files winbind publickey: nisplus automount: files winbind aliases:files nisplus cat /etc/resolv.conf search DOMAIN.NAME nameserver 192.168.16.3 (also the PDC) thor:/var/log/samba# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 192.168.16.4thor.DOMAIN.NAME thor 192.168.16.3server01.DOMAIN.NAME server01 thor:/var/log/samba# kinit administrator@ mailto:[EMAIL PROTECTED] DOMAIN.NAME mailto:[EMAIL PROTECTED]'s administrator@ mailto:[EMAIL PROTECTED] DOMAIN.NAME mailto:[EMAIL PROTECTED]'s 's Password: kinit: NOTICE: ticket renewable lifetime is 1 week thor:/var/log/samba# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NAME dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes krb4_get_tickets = false [realms] DOMAIN.NAME = { kdc = server01:88 } [domain_realm] .server01 = DOMAIN.NAME server01 = DOMAIN.NAME [kdc] profile = /var/lib/heimdal-kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGE8GbIR7qMdg1EfYRAuqRAKCQXy8POjaFF9IyvZjpInVG08j2vwCgyYEF wR6kgQb/nFF7t3DppDHWyVQ= =ye1d -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian Atkins wrote: In the samba client logs I see: [2007/01/12 19:56:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(202) Failed to verify incoming ticket! ... KRB5.CONF: == [libdefaults] default_realm = MYDOMAIN.COM ticket_lifetime = 2400 clockskew = 300 default_tkt_enctypes= des-cbc-crc des-cbc-md5 default_tgs_enctypes= des-cbc-crc des-cbc-md5 You need to add rc4-hmac. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFrip6IR7qMdg1EfYRAmb4AJ91CSvhn3fZKE6SdzhqHmKDLLvqiwCghSFk FsSnswr5V4eLq4KOQhDxe3A= =D0Aj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket
I am running samba 3.0.23d on Gentoo. I have a particularly problematic server that is a domain member of our AD domain. After joining the domain, shares are available and user credentials work just fine. Then, suddenly for no apparent reason, it stops working. And, then again, just as quickly as the problem starts, it goes away. I have looked at this thing as many ways as I can possibly think of, but have not yet found the culprit. From everything I've seen, the issue points to Kerberos. I used a plain vanilla approach to join it to the domain: Installed samba, winbind, mit-krb5, and pam modules: USE=ldap kerberos winbind pam emerge samba Edited krb5.conf (see below) and ran - kinit administrator klist reveals: klist: You have no tickets cached Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 01/12/07 19:46:02 01/12/07 20:26:02 krbtgt/[EMAIL PROTECTED] Edited nsswitch.conf (see below). Edited smb.conf (see below) and ran - net ads join -U adminstrator and got: Using short domain name -- MYDOMAIN Joined 'TESTBOX' to realm 'MYDOMAIN.COM' I started samba: /etc/init.d/samba start * samba - start: smbd ...[ ok ] * samba - start: nmbd ...[ ok ] * samba - start: winbind ... [ ok ] However, accessing a share from a windows machine (doesn't appear to matter the version), I get prompted for credentials. Upon entering them, I get Logon failed. As I write this, I have a XP box that is allowing me to access the share, but a 2K3 server that fails - same credentials. If I use the ip address, it succeeds every time. In the samba client logs I see: [2007/01/12 19:56:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(202) Failed to verify incoming ticket! Occasionally in log.winbind I get: [2007/01/12 19:22:18, 1] nsswitch/winbindd_ads.c:query_user_list(218) Not a user account? atype=0x3000 I also see some weirdness with wbinfo. When displaying users, I see only user accounts, while on my other servers, I see user and computer accounts. KRB5.CONF: == [libdefaults] default_realm = MYDOMAIN.COM ticket_lifetime = 2400 clockskew = 300 default_tkt_enctypes= des-cbc-crc des-cbc-md5 default_tgs_enctypes= des-cbc-crc des-cbc-md5 forwardable = true dns_lookup_kdc = false dns_lookup_realm= false kdc_timesync= true [realms] MYDOMAIN.COM = { kdc = dcm.mydomain.com admin_server= dcm.mydomain.com default_domain = mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server= FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log SMB.CONF: = [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM netbios name = TESTBOX server string = TESTBOX interfaces = 192.168.1.28 127. bind interfaces only = yes security = ADS log file = /var/log/samba/log.%m max log size = 8164 name resolve order = hosts wins bcast socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 os level = 5 preferred master = no local master = no domain master = no dns proxy = no wins proxy = no wins server = 192.168.1.124 template shell = /bin/bash unix extensions = no template home dir = /home/%D/%U winbind enum users = yes winbind uid = 1-2 winbind gid = 1-2 winbind enum groups = yes winbind separator = + winbind use default domain = yes encrypt passwords = yes hosts allow = 192.168. 127. load printers = no smb ports = 139 NSSWITCH.CONF: == passwd: compat winbind shadow: compat group: compat winbind hosts: files dns wins networks:files dns services:db files protocols: db files rpc: db files ethers: db files netmasks:files netgroup:files bootparams: files automount: files aliases: files -- Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket!
Hi all, I have configured Samba 3.0.10 to act as a file server(RHEL4) in Windows 2000 AD domain. I have also configured Kerberos 1.3.4 for authentication between W2K PDC and Samba box. wbinfo -u and -g works fine. My problem is that I cannot connect Samba Server via Windows Browser, Network Neighbourhood,Windows Explorer etc. When I try to connect I promted User/Password dialog box which says Incorrect password or unknown username for: \\SambaFileServer Another thing to say , there is another clue in /var/log/samba/W2K_PDC-IPAddress.log smbd7sesssetup.c:reply_;spnego_kerberos(173) Failed to verify incoming ticket! If I go to Start/Run and write Samba Server's IP adress I can connect to shares on that without any problem. What is the wrong? ASAP response wil be appreciated. Thanks, _ Hem e-postalarinizi, hem de Bilgisayarinizi MSN Güvenlik ile koruma altina alin! http://www.msn.com.tr/security/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Linefeed Feed wrote: Hi all, I have configured Samba 3.0.10 to act as a file server(RHEL4) in Windows 2000 AD domain. I have also configured Kerberos 1.3.4 for authentication between W2K PDC and Samba box. wbinfo -u and -g works fine. My problem is that I cannot connect Samba Server via Windows Browser, Network Neighborhood, Windows Explorer etc. When I try to connect I prompted User/Password dialog box which says Incorrect password or unknown username for: \\SambaFileServer ... Failed to verify incoming ticket! There is some krb5 failure, but you don't give enough information to know what. If I go to Start/Run and write Samba Server's IP adress I can connect to shares on that without any problem. The client is falling back to NTLM authentication in this case. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEu4CzIR7qMdg1EfYRAtjoAJ9p6vhmrAa7EkEZRr9BRZgSquNwqQCgvdrF wNmUZot55xUlZncyF2FsVrY= =3sbY -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
Hi Gerald, That I want to know, what causes that problem. Because when I connect from Start\Run with IP Address of the Samba box I don't have any problem, but with netbios name I do. Another thing (as I send to samba list) if I change the parameter,netbios name = Diferent_from_SambaHostName, I can connect to Samba Server with netbios name without any problem. What is the wrong? Misconfigured smb.conf,krb5.conf or other. Thanks for your response,, From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: Linefeed Feed [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Failed to verify incoming ticket! Date: Mon, 17 Jul 2006 07:21:07 -0500 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Linefeed Feed wrote: Hi all, I have configured Samba 3.0.10 to act as a file server(RHEL4) in Windows 2000 AD domain. I have also configured Kerberos 1.3.4 for authentication between W2K PDC and Samba box. wbinfo -u and -g works fine. My problem is that I cannot connect Samba Server via Windows Browser, Network Neighborhood, Windows Explorer etc. When I try to connect I prompted User/Password dialog box which says Incorrect password or unknown username for: \\SambaFileServer ... Failed to verify incoming ticket! There is some krb5 failure, but you don't give enough information to know what. If I go to Start/Run and write Samba Server's IP adress I can connect to shares on that without any problem. The client is falling back to NTLM authentication in this case. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEu4CzIR7qMdg1EfYRAtjoAJ9p6vhmrAa7EkEZRr9BRZgSquNwqQCgvdrF wNmUZot55xUlZncyF2FsVrY= =3sbY -END PGP SIGNATURE- _ En etkili ve güvenilir PC Korumayi tercih edin, rahat edin! http://www.msn.com.tr/security/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket
Good day all! I've got four samba servers up and running perfectly and I went to add a fifth box using the exact same steps and operating system but ran into a problem. I can't map a drive by name (\\Mustang\Support) but I can go by IP (\\10.0.0.23\Support). I found a snipped posting that said try the IP and it worked. In my logs when I try and go by hostname I see the errors Failed to verify incoming ticket. I guess I missed something in the setup but I've been back through it several times. What am I doing wrong, how do I fix this? Thanks! -brian Brian D. McGrew { [EMAIL PROTECTED] || [EMAIL PROTECTED] } --- Those of you who think you know it all, really annoy those of us who do! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket
On Fri Jul 30 17:10:45 2004 nuno.silva at novabase.pt (Nuno Silva) wrote: I'm trying to get Samba 3.0.2 working against a Windows 2003 Active Directory. I can join the Linux box (RedHat Advanced Server) to the domain using net ads join and it appears in the Windows machine's Users and Computers snap in but when trying to map a drive from Windows you just get a continuous password dialog bog and on the Linux box Samba produces the following error in the Samba log: Smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! This is probably a problem with your kerberos version. I have been having the very same problem and managed to solve this. I'm posting an answer to this question so that others can find this if needed. (I'm not subscribed to the list, so please CC follow-ups if needed). The problem is, as you said, with the Kerberos version, I first used MIT's implementation of Kerberos. Samba clients could correctly access my Samba server (and I could see the KRB requests going to and from the Win2k AD server) but as soon as I tried and did the same with a Windows-based client, nothing worked, the Windows box kept asking for a valid user/pass whereas the given ones were correct, and I got the same failed tickets entries in my smbd logs. I solved the problem compiling samba (3.0.7) against Heimdal Kerberos insted of MIT. As far as I understand the problem, this is due to MIT not supporting the kind of encryption the Windows client is using to get the tickets (this explains the problem not occuring with Samba clients). Here is my smb.conf, in case it's needed: - password server = ADVSERV security = ADS realm = EXAMPLE.COM encrypt passwords = yes client use spnego = no username map = /usr/local/samba-ads/lib/username_map workgroup=EXAMPLE auth methods = winbind winbind enum users = yes winbind enum groups = yes idmap uid = 1-2 idmap gid = 1-2 [tmp] path = /tmp browsable = yes writeable = yes preserve case = yes [homes] comment = Home Directories valid users = %S force user = %S writable = yes guest ok = no browseable = no - And (roughly) the process I followed to register the machine was: # kinit [EMAIL PROTECTED] [EMAIL PROTECTED]'s Password: kinit: NOTICE: ticket renewable lifetime is 1 week # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Cache version: 4 Server: krbtgt/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 End time: Oct 29 00:38:00 2004 Renew till: Nov 4 13:38:00 2004 Ticket flags: renewable, initial, pre-authenticated Addresses: IPv4:172.20.0.133 # net ads join Using short domain name -- EXAMPLE Joined 'FOO' to realm 'EXAMPLE.COM' # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Cache version: 4 Server: krbtgt/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 End time: Oct 29 00:38:00 2004 Renew till: Nov 4 13:38:00 2004 Ticket flags: renewable, initial, pre-authenticated Addresses: IPv4:172.20.0.133 Server: [EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 Start time: Oct 28 14:40:10 2004 End time: Oct 29 00:38:00 2004 Ticket flags: pre-authenticated, ok-as-delegate Addresses: IPv4:172.20.0.133 Server: kadmin/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 Start time: Oct 28 14:40:10 2004 End time: Oct 29 00:38:00 2004 Ticket flags: pre-authenticated Addresses: IPv4:172.20.0.133 At this point, I could have Windows-using users connect to the Samba server, and mapped to Unix users thanks to the username map. -- Olivier Mehani [EMAIL PROTECTED] FreeALter Soft/Linbox - Paris http://www.linbox.com pgpbGqpxs4KQA.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket
Hi, I'm trying to get Samba 3.0.2 working against a Windows 2003 Active Directory. I can join the Linux box (RedHat Advanced Server) to the domain using net ads join and it appears in the Windows machine's Users and Computers snap in but when trying to map a drive from Windows you just get a continuous password dialog bog and on the Linux box Samba produces the following error in the Samba log: Smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! Here is smb.conf: ### #=== Global Settings = [global] workgroup = w2k3 netbios name = fs server string = Samba Server log file = /var/log/samba/smbd.log max log size = 50 security = ads realm = W2K3.TEST client use spnego = yes use spnego = yes client signing = yes server signing = yes encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ; local master = no ; os level = 33 dns proxy = no # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes ## And here's krb5.conf: ## [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] # ticket_lifetime = 24000 default_realm = W2K3.TEST # dns_lookup_realm = false # dns_lookup_kdc = false [realms] W2K3.TEST = { kdc = test-dc.w2k3.test:88 admin_server = test-dc.w2k3.test:749 default_domain = w2k3.test } [domain_realm] .w2k3.test = W2K3.TEST w2k3.test = W2K3.TEST [kdc] # profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ## Thanks, Mark -- Mark Warbeck Systems Engineer Engineering Science and Mechanics Virginia Tech 323A Norris Hall Mail Code 0219 Blacksburg, VA 24061 540.231.7489 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Failed to verify incoming ticket
Hi, This is probably a problem with your kerberos version. Try mapping with ip address like this: C:\ net use t: \\10.10.10.1\teste _ Nuno Silva Engineering Solutions / Enterprise Computing -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Warbeck, Mark Sent: sexta-feira, 30 de Julho de 2004 17:57 To: [EMAIL PROTECTED] Subject: [Samba] Failed to verify incoming ticket Hi, I'm trying to get Samba 3.0.2 working against a Windows 2003 Active Directory. I can join the Linux box (RedHat Advanced Server) to the domain using net ads join and it appears in the Windows machine's Users and Computers snap in but when trying to map a drive from Windows you just get a continuous password dialog bog and on the Linux box Samba produces the following error in the Samba log: Smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! Here is smb.conf: ### #=== Global Settings = [global] workgroup = w2k3 netbios name = fs server string = Samba Server log file = /var/log/samba/smbd.log max log size = 50 security = ads realm = W2K3.TEST client use spnego = yes use spnego = yes client signing = yes server signing = yes encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ; local master = no ; os level = 33 dns proxy = no # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes ## And here's krb5.conf: ## [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] # ticket_lifetime = 24000 default_realm = W2K3.TEST # dns_lookup_realm = false # dns_lookup_kdc = false [realms] W2K3.TEST = { kdc = test-dc.w2k3.test:88 admin_server = test-dc.w2k3.test:749 default_domain = w2k3.test } [domain_realm] .w2k3.test = W2K3.TEST w2k3.test = W2K3.TEST [kdc] # profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ## Thanks, Mark -- Mark Warbeck Systems Engineer Engineering Science and Mechanics Virginia Tech 323A Norris Hall Mail Code 0219 Blacksburg, VA 24061 540.231.7489 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
From: John H Terpstra [mailto:[EMAIL PROTECTED] This possibly means that your version of Kerberos is not able to handle the requirements of the Windows server you are trying to negotiate the join with. If you are using SuSE Linux your samba-3.x should be linked with the latest Heimdal, if Red Hat you need to link against MIT 1.3.1. Thank you John for your help. One more question: why should I use different kerberos-libs on SuSE and RedHat? Exists there a link in the documentation or in your new samba-book? Which version should I use with Debian woody? Or more precise, which feature should the libkrb support (a link to documentation would make me happy)? Thank you Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
On Thu, 27 Nov 2003, Wolfgang Wagner wrote: From: John H Terpstra [mailto:[EMAIL PROTECTED] This possibly means that your version of Kerberos is not able to handle the requirements of the Windows server you are trying to negotiate the join with. If you are using SuSE Linux your samba-3.x should be linked with the latest Heimdal, if Red Hat you need to link against MIT 1.3.1. Thank you John for your help. One more question: why should I use different kerberos-libs on SuSE and RedHat? SuSE ships with Heimdal. For Windows Server 2003 interoperability you need the latest version of Heimdal. Red Hat ships with MIT Kerberos, only MIT version 1.3.1 can work with Windows Server 2003. The 1.2.x versions that ship with Red Hat Linux will not work with Win2003. You can use either Helmdal-0.6+ or MIT 1.3.x - use whichever is easiest for you. You might have a few problems trying to install MIT on top a system that has Heimdal installed already. Exists there a link in the documentation or in your new samba-book? In the book, The Official Samba-3 HOWTO and Reference Guide (aka: Samba-HOWTO-Collection) there are indirect references to the configuration requirements - this will be expanded when either I get some more time, or if someone provides me with a patch to the documentation. The indirect reference is in the section 6.2 of the book, 7.2 of the HOWTO. Which version should I use with Debian woody? Or more precise, which feature should the libkrb support (a link to documentation would make me happy)? It's up to you. I'd use MIT 1.3.1, it takes the least amount of effort to make it work. Cheers, John T. Thank you Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket!
Hello, a few people asked about this problem here, but up to now I have not seen a solution. System: fresh installed Debian Woody with backported packages from backports.org, nothing else, only samba3 running. System ist intended as replacement for our old windows-fileserver. Situation: after installation and configuration all worked well, accessing shares works without password-checking. samba3 authenticates against an ADS, net ads join -U administrator joins the samba-server to the ADS, net ads user -U administrator gives me a list of all ADS-users. Then I updated my system from the original debian-mirrors and backports.org, and now I get this error when a workstation accesses a share. Also on the workstation appears a dialog box and asks for username and password. [2003/11/25 19:19:03, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Winbind was not running. After restarting Winbind and accessing the share again I got in syslog these messages: Nov 26 11:10:05 samba winbindd[26631]: [2003/11/26 11:10:05, 0] nsswitch/winbindd_util.c:rescan_trusted_domains(172) Nov 26 11:10:05 samba winbindd[26631]: rescan_trusted_domains: Can't find my own domain! Nov 26 11:10:50 samba smbd[26636]: [2003/11/26 11:10:50, 0] lib/username.c:map_username(128) Nov 26 11:10:50 samba smbd[26636]: can't open username map /etc/samba/smbusers. Error No such file or directory Ok, /etc/samba/smbusers is missing. But why? I have no idea, where to search further. Please give me any hints. Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
On Wed, 26 Nov 2003, Wolfgang Wagner wrote: Hello, a few people asked about this problem here, but up to now I have not seen a solution. System: fresh installed Debian Woody with backported packages from backports.org, nothing else, only samba3 running. System ist intended as replacement for our old windows-fileserver. Situation: after installation and configuration all worked well, accessing shares works without password-checking. samba3 authenticates against an ADS, net ads join -U administrator joins the samba-server to the ADS, net ads user -U administrator gives me a list of all ADS-users. Then I updated my system from the original debian-mirrors and backports.org, and now I get this error when a workstation accesses a share. Also on the workstation appears a dialog box and asks for username and password. [2003/11/25 19:19:03, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! This possibly means that your version of Kerberos is not able to handle the requirements of the Windows server you are trying to negotiate the join with. If you are using SuSE Linux your samba-3.x should be linked with the latest Heimdal, if Red Hat you need to link against MIT 1.3.1. Winbind was not running. After restarting Winbind and accessing the share again I got in syslog these messages: Nov 26 11:10:05 samba winbindd[26631]: [2003/11/26 11:10:05, 0] nsswitch/winbindd_util.c:rescan_trusted_domains(172) Nov 26 11:10:05 samba winbindd[26631]: rescan_trusted_domains: Can't find my own domain! Nov 26 11:10:50 samba smbd[26636]: [2003/11/26 11:10:50, 0] lib/username.c:map_username(128) Nov 26 11:10:50 samba smbd[26636]: can't open username map /etc/samba/smbusers. Error No such file or directory Ok, /etc/samba/smbusers is missing. But why? did you create this file? Typical contents are: root = Administrator Cheers, John T. I have no idea, where to search further. Please give me any hints. Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket - Samba 3.0 ADS
Hi Folks I have winbind showing all users and groups from my windows 2k3 AD, net ads join worked fine, set up a test share, changed the owner to be something from the AD through winbind and the group to 1 (Domain Users) even chmodded 777 to make sure permissions werent a problem, but I keep getting [2003/11/24 16:52:56, 2] smbd/sesssetup.c:setup_new_vc_session(535) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2003/11/24 16:52:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2003/11/24 16:52:56, 2] smbd/server.c:exit_server(558) Closing connections In the logs, I have to assume this is part of the problem, also if the kinit times out I get nothing and have to reauthenticate, I currently have my pop and imap services authenticating against the AD, but I had to do a lot of buggering about on the w2k3 box with ktpass and such to get it working, so I know that it is possible to authenticate via kerberos against a w2k3AD, with preauthentication turned off. Do I need to change the passdb backend to LDAP? (as well as finding out what problem lies in the kerberos). smb.conf [global] workgroup = AREALM realm = AREALM.COM security = ADS password server = 192.168.0.42 encrypt passwords = yes log level = 2 idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind use default domain = Yes client use spnego = yes [export] comment = Test Share path = /export/test admin users = Administrator read list = AUSER write list = AUSER read only = No create mask = 0700 directory mask = 0700 [EMAIL PROTECTED] export]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@AREALM.COM Valid starting ExpiresService principal 11/24/03 16:30:14 11/25/03 02:28:48 krbtgt/AREALM.COM@AREALM.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Any help greatfully accepted, Rgds Alex Needham Stealth IT Bloke, Intersystems -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba