[Samba] Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE
Hi. I we are migrating form domain ad.adc.com to ad.xyz.com , there is a trust between the two domains. Before the move the file server was work perfectly, post migration I get the following in the samba logs [2013/08/19 08:07:15.961679, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 08:07:25.983662, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.01.168 read error = NT_STATUS_CONNECTION_RESET. [2013/08/19 11:19:26.308406, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 11:19:26.355646, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2013/08/19 11:19:39.835641, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.01.168 read error = NT_STATUS_CONNECTION_RESET. And on the windows client I get prompted for username and password , It won't accept any of the ones I have provided. My workstation and the others that can’t access it are all on the new domain as the file server (ad.xyz.com) I have a number of other file servers migrated to ad.xyz.com and they are fine. I have googled and found the issue is related to Kerberos. I have update the dns to ensure that the servers hostname resolves correctly in both forward and reverse lookups. I have noted that /etc/krb5.conf is very different between the working servers and the broken one , but I don’t know much about Kerberos so I’m lost. I have update to : pbis : 7.0.918 samba :3.6.6-0.129.el5 krb5 : 1.6.1-70.el5_9.2 OS is CentOS 5.3 Clients are windows 7 Any suggestions on how to resolve this ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Failed to verify incoming ticket! with Windows 2003 Server
Hi, all! I have the following environment here: - A Windows 2000 domain, with one server running Windows 2003 Server - A kerberos realm, using MIT Kerberos - A samba server, with security=ads The Windows 2003 server have a trust relationship with the MIT kerberos realm. Users logs on that kerberos realm on their Windows workstations, and are supposed to have access to the shares at samba server. All of it was working perfectly until some weeks ago, when the samba server had a hardware failure. The OS was re-installed (Fedora Core 6), the server was re-joined to the windows domain, but, now, when the users tryies to access the shares, they get a window asking for username and password, and the following appears at samba's log: -- [2007/05/05 19:42:53, 10] passdb/secrets.c:secrets_named_mutex(779) secrets_named_mutex: got mutex for replay cache mutex [2007/05/05 19:42:53, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(261) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2007/05/05 19:42:53, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(261) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type [2007/05/05 19:42:53, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(261) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type [2007/05/05 19:42:53, 10] passdb/secrets.c:secrets_named_mutex_release(791) secrets_named_mutex: released mutex for replay cache mutex [2007/05/05 19:42:53, 3] libads/kerberos_verify.c:ads_verify_ticket(399) ads_verify_ticket: krb5_rd_req with auth failed (Success) [2007/05/05 19:42:53, 1] smbd/sesssetup.c:reply_spnego_kerberos(202) Failed to verify incoming ticket! [2007/05/05 19:42:53, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(204) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE -- I also tried using a samba server that was compiled against Heimdal kerberos, but the result was the same. Tryied to generate the windows server's keytab entry with 'ktpass', and import it at samba server's keytab (setting use kerberos keytab = yes at smb.conf), but the problem remains. When I try to access the samba share via smbclient, I get: -- smbclient -k //server/share Doing spnego session setup (blob length=117) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/[EMAIL PROTECTED] Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Sun, 06 May 2007 05:53:09 BRT ads_krb5_mk_req: Ticket (cifs/[EMAIL PROTECTED]) in ccache (FILE:/tmp/krb5cc_0) is valid until: (Sun, 06 May 2007 05:53:09 BRT - 1178441589) Got KRB5 session key of length 16 write_socket(5,1364) write_socket(5,1364) wrote 1364 read_socket_with_timeout: timeout read. EOF from client. receive_smb_raw: length 0! client_receive_smb failed size=0 -- and a login failed message. After the try, se following principals get cached: Valid starting ExpiresService principal 05/05/07 19:53:04 05/06/07 19:53:03 krbtgt/[EMAIL PROTECTED] 05/05/07 19:53:09 05/06/07 19:53:03 krbtgt/[EMAIL PROTECTED] 05/05/07 19:53:09 05/06/07 05:53:09 cifs/[EMAIL PROTECTED] The only way our users can access the shares at samba server is logging in at the Windows 2003 domain. Googling arround, I found various issues concerning incompatibilities between Windows 2003 and samba/kerberos tickets. I tryied various suggestions - such as forcing the samba server's computer account at windows 2003 to use only DES crypt, mapping the computer account to an user account and so on, but none of them worked for me. Some idea? (sorry the large e-mail - and my bad english) Tnks in advice! Rodolfo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi, the Failed to join domain: Type or value exists is caused, when the machine_name is equal to the fqdn. This is the case, e.g. if the /etc/hosts file contains only the short name. The server reports the error and net aborts although the join itself was successfull. There are serveral issues with the hostname vs. domainname thing under linux. E.g. the missing driver listings when using the fqdn accessing the samba server. I've added a getdomainname() call in the get_mydnsfullname() function in lib/util.c if the gethostname() call does not contain a .. Then the comparison in is_myname() succeeds and the drivers are listed. But the manpage says, getdomainname() is *not* POSIX. So this all might end in a configuration issue of the hostname. Regards, ~ Martin Hansjörg Maurer schrieb: Hi we see the similar messages too. Gerald (Jerry) Carter wrote: m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? do they have to? When I try to set them to the same value I get the following message when joining the domain. [EMAIL PROTECTED] root]# net ads join -U Admin Admin's password: The workgroup in /etc/samba/smb.conf does not match the short domain name obtained from the server. Using the name [DOMNAME] from the server. You should set workgroup = DOMNAME in /etc/samba/smb.conf. Using short domain name -- DOMNAME Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'REALM' Failed to join domain: Type or value exists But we have a DNS not matching the REALM. Could this lead to this problem? (the above join only works with net rpc join, even while User Admin has full rights on the domain) Greetings hansjörg ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -- Martin Zielinski [EMAIL PROTECTED] Software Development SEH Computertechnik GmbH www.seh.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi we see the similar messages too. Gerald (Jerry) Carter wrote: m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? do they have to? When I try to set them to the same value I get the following message when joining the domain. [EMAIL PROTECTED] root]# net ads join -U Admin Admin's password: The workgroup in /etc/samba/smb.conf does not match the short domain name obtained from the server. Using the name [DOMNAME] from the server. You should set workgroup = DOMNAME in /etc/samba/smb.conf. Using short domain name -- DOMNAME Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'RMVBS02' in realm 'REALM' Failed to join domain: Type or value exists But we have a DNS not matching the REALM. Could this lead to this problem? (the above join only works with net rpc join, even while User Admin has full rights on the domain) Greetings hansjörg ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -- _ Deutsches Zentrum fuer Luft- und Raumfahrt e.V. in der Helmholtz-Gemeinschaft Institut fuer Robotik und Mechatronik Dr. Hansjörg Maurer LAN- und Systemmanager Münchner Strasse 20 82234 Wessling Germany Telefon: 08153/28-2431 Telefax: 08153/28-1134 E-Mail: [EMAIL PROTECTED] Internet: http://www.robotic.dlr.de/ __ There are 10 types of people in this world, those who understand binary and those who don't. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket! When clients use netbios names only!
Hi,
I have set up our samba box in 'ADS' mode; the problem I have is clients
connecting to the server can not do so by using its netbios name. Only when
they use the IP address of the machine are they able to be authenticated and
browse the box.
When clients connect via the netbios name this message will appear in my
samba logs with the IP of the connecting client;
smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming
ticket!
Additionally, If a client connects successfully via the IP of the samba
server, the log file is named in the clients netbios name rather than their
IP.
eg machinenetbiosname.log will contain
[2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642)
netbiosnameofmachine (192.168.16.203) signed connect to service data
initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329)
Can some one tell me what's happening here? ;)
thor:/var/log/samba# cat /etc/samba/smb.conf
[global]
winbind use default domain = yes
winbind separator = +
client use spnego = yes
use spnego = yes
server signing = auto
client signing = auto
netbios name = THOR
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
workgroup = DOMAIN
server string = Thor
security = ads
hosts allow = 192.168.16.
load printers = no
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = SERVER01
encrypt passwords = yes
realm = DOMAIN
passdb backend = tdbsam
local master = no
domain master = no
wins support = no
wins server = 192.168.16.3
dns proxy = no
hostname lookups = yes
name resolve order = lmhosts host wins dns bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[data]
comment =
path = /data
Valid Users = +DOMAIN+domain users
writeable = yes
browseable = yes
[ftp]
comment = FTP area
path = /data/ftp
Valid Users = +DOMAIN+domain users
writeable = yes
browseable = yes
thor:/var/log/samba#
wbinfo -u works!
wbinfo -g works
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files winbind
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc:files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases:files nisplus
cat /etc/resolv.conf
search DOMAIN.NAME
nameserver 192.168.16.3 (also the PDC)
thor:/var/log/samba# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.16.4thor.DOMAIN.NAME thor
192.168.16.3server01.DOMAIN.NAME server01
thor:/var/log/samba# kinit administrator@ mailto:[EMAIL PROTECTED]
DOMAIN.NAME
mailto:[EMAIL PROTECTED]'s administrator@
mailto:[EMAIL PROTECTED] DOMAIN.NAME
mailto:[EMAIL PROTECTED]'s 's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
thor:/var/log/samba# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.NAME
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
krb4_get_tickets = false
[realms]
DOMAIN.NAME = {
kdc = server01:88
}
[domain_realm]
.server01 = DOMAIN.NAME
server01 = DOMAIN.NAME
[kdc]
profile = /var/lib/heimdal-kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 m.bland wrote: thor:/var/log/samba# cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN Are these really the same value ? ... thor:/var/log/samba# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.NAME cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGE8GbIR7qMdg1EfYRAuqRAKCQXy8POjaFF9IyvZjpInVG08j2vwCgyYEF wR6kgQb/nFF7t3DppDHWyVQ= =ye1d -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian Atkins wrote: In the samba client logs I see: [2007/01/12 19:56:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(202) Failed to verify incoming ticket! ... KRB5.CONF: == [libdefaults] default_realm = MYDOMAIN.COM ticket_lifetime = 2400 clockskew = 300 default_tkt_enctypes= des-cbc-crc des-cbc-md5 default_tgs_enctypes= des-cbc-crc des-cbc-md5 You need to add rc4-hmac. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFrip6IR7qMdg1EfYRAmb4AJ91CSvhn3fZKE6SdzhqHmKDLLvqiwCghSFk FsSnswr5V4eLq4KOQhDxe3A= =D0Aj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket
I am running samba 3.0.23d on Gentoo. I have a particularly problematic
server that is a domain member of our AD domain.
After joining the domain, shares are available and user credentials work
just fine. Then, suddenly for no apparent reason, it stops working. And,
then again, just as quickly as the problem starts, it goes away. I have
looked at this thing as many ways as I can possibly think of, but have
not yet found the culprit. From everything I've seen, the issue points
to Kerberos.
I used a plain vanilla approach to join it to the domain:
Installed samba, winbind, mit-krb5, and pam modules:
USE=ldap kerberos winbind pam emerge samba
Edited krb5.conf (see below) and ran -
kinit administrator
klist reveals:
klist: You have no tickets cached
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
01/12/07 19:46:02 01/12/07 20:26:02
krbtgt/[EMAIL PROTECTED]
Edited nsswitch.conf (see below).
Edited smb.conf (see below) and ran -
net ads join -U adminstrator
and got:
Using short domain name -- MYDOMAIN
Joined 'TESTBOX' to realm 'MYDOMAIN.COM'
I started samba:
/etc/init.d/samba start
* samba - start: smbd ...[ ok ]
* samba - start: nmbd ...[ ok ]
* samba - start: winbind ... [ ok ]
However, accessing a share from a windows machine (doesn't appear to
matter the version), I get prompted for credentials. Upon entering them,
I get Logon failed. As I write this, I have a XP box that is allowing me
to access the share, but a 2K3 server that fails - same credentials. If
I use the ip address, it succeeds every time.
In the samba client logs I see:
[2007/01/12 19:56:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(202)
Failed to verify incoming ticket!
Occasionally in log.winbind I get:
[2007/01/12 19:22:18, 1] nsswitch/winbindd_ads.c:query_user_list(218)
Not a user account? atype=0x3000
I also see some weirdness with wbinfo. When displaying users, I see only
user accounts, while on my other servers, I see user and computer accounts.
KRB5.CONF:
==
[libdefaults]
default_realm = MYDOMAIN.COM
ticket_lifetime = 2400
clockskew = 300
default_tkt_enctypes= des-cbc-crc des-cbc-md5
default_tgs_enctypes= des-cbc-crc des-cbc-md5
forwardable = true
dns_lookup_kdc = false
dns_lookup_realm= false
kdc_timesync= true
[realms]
MYDOMAIN.COM = {
kdc = dcm.mydomain.com
admin_server= dcm.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server= FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
SMB.CONF:
=
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
netbios name = TESTBOX
server string = TESTBOX
interfaces = 192.168.1.28 127.
bind interfaces only = yes
security = ADS
log file = /var/log/samba/log.%m
max log size = 8164
name resolve order = hosts wins bcast
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
os level = 5
preferred master = no
local master = no
domain master = no
dns proxy = no
wins proxy = no
wins server = 192.168.1.124
template shell = /bin/bash
unix extensions = no
template home dir = /home/%D/%U
winbind enum users = yes
winbind uid = 1-2
winbind gid = 1-2
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
hosts allow = 192.168. 127.
load printers = no
smb ports = 139
NSSWITCH.CONF:
==
passwd: compat winbind
shadow: compat
group: compat winbind
hosts: files dns wins
networks:files dns
services:db files
protocols: db files
rpc: db files
ethers: db files
netmasks:files
netgroup:files
bootparams: files
automount: files
aliases: files
--
Brian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket!
Hi all, I have configured Samba 3.0.10 to act as a file server(RHEL4) in Windows 2000 AD domain. I have also configured Kerberos 1.3.4 for authentication between W2K PDC and Samba box. wbinfo -u and -g works fine. My problem is that I cannot connect Samba Server via Windows Browser, Network Neighbourhood,Windows Explorer etc. When I try to connect I promted User/Password dialog box which says Incorrect password or unknown username for: \\SambaFileServer Another thing to say , there is another clue in /var/log/samba/W2K_PDC-IPAddress.log smbd7sesssetup.c:reply_;spnego_kerberos(173) Failed to verify incoming ticket! If I go to Start/Run and write Samba Server's IP adress I can connect to shares on that without any problem. What is the wrong? ASAP response wil be appreciated. Thanks, _ Hem e-postalarinizi, hem de Bilgisayarinizi MSN Güvenlik ile koruma altina alin! http://www.msn.com.tr/security/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Linefeed Feed wrote: Hi all, I have configured Samba 3.0.10 to act as a file server(RHEL4) in Windows 2000 AD domain. I have also configured Kerberos 1.3.4 for authentication between W2K PDC and Samba box. wbinfo -u and -g works fine. My problem is that I cannot connect Samba Server via Windows Browser, Network Neighborhood, Windows Explorer etc. When I try to connect I prompted User/Password dialog box which says Incorrect password or unknown username for: \\SambaFileServer ... Failed to verify incoming ticket! There is some krb5 failure, but you don't give enough information to know what. If I go to Start/Run and write Samba Server's IP adress I can connect to shares on that without any problem. The client is falling back to NTLM authentication in this case. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEu4CzIR7qMdg1EfYRAtjoAJ9p6vhmrAa7EkEZRr9BRZgSquNwqQCgvdrF wNmUZot55xUlZncyF2FsVrY= =3sbY -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
Hi Gerald, That I want to know, what causes that problem. Because when I connect from Start\Run with IP Address of the Samba box I don't have any problem, but with netbios name I do. Another thing (as I send to samba list) if I change the parameter,netbios name = Diferent_from_SambaHostName, I can connect to Samba Server with netbios name without any problem. What is the wrong? Misconfigured smb.conf,krb5.conf or other. Thanks for your response,, From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: Linefeed Feed [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Failed to verify incoming ticket! Date: Mon, 17 Jul 2006 07:21:07 -0500 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Linefeed Feed wrote: Hi all, I have configured Samba 3.0.10 to act as a file server(RHEL4) in Windows 2000 AD domain. I have also configured Kerberos 1.3.4 for authentication between W2K PDC and Samba box. wbinfo -u and -g works fine. My problem is that I cannot connect Samba Server via Windows Browser, Network Neighborhood, Windows Explorer etc. When I try to connect I prompted User/Password dialog box which says Incorrect password or unknown username for: \\SambaFileServer ... Failed to verify incoming ticket! There is some krb5 failure, but you don't give enough information to know what. If I go to Start/Run and write Samba Server's IP adress I can connect to shares on that without any problem. The client is falling back to NTLM authentication in this case. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEu4CzIR7qMdg1EfYRAtjoAJ9p6vhmrAa7EkEZRr9BRZgSquNwqQCgvdrF wNmUZot55xUlZncyF2FsVrY= =3sbY -END PGP SIGNATURE- _ En etkili ve güvenilir PC Korumayi tercih edin, rahat edin! http://www.msn.com.tr/security/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket
Good day all!
I've got four samba servers up and running perfectly and I went to add a
fifth box using the exact same steps and operating system but ran into a
problem.
I can't map a drive by name (\\Mustang\Support) but I can go by IP
(\\10.0.0.23\Support). I found a snipped posting that said try the IP
and it worked.
In my logs when I try and go by hostname I see the errors Failed to
verify incoming ticket.
I guess I missed something in the setup but I've been back through it
several times. What am I doing wrong, how do I fix this?
Thanks!
-brian
Brian D. McGrew { [EMAIL PROTECTED] || [EMAIL PROTECTED] }
---
Those of you who think you know it all,
really annoy those of us who do!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket
On Fri Jul 30 17:10:45 2004 nuno.silva at novabase.pt (Nuno Silva) wrote: I'm trying to get Samba 3.0.2 working against a Windows 2003 Active Directory. I can join the Linux box (RedHat Advanced Server) to the domain using net ads join and it appears in the Windows machine's Users and Computers snap in but when trying to map a drive from Windows you just get a continuous password dialog bog and on the Linux box Samba produces the following error in the Samba log: Smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! This is probably a problem with your kerberos version. I have been having the very same problem and managed to solve this. I'm posting an answer to this question so that others can find this if needed. (I'm not subscribed to the list, so please CC follow-ups if needed). The problem is, as you said, with the Kerberos version, I first used MIT's implementation of Kerberos. Samba clients could correctly access my Samba server (and I could see the KRB requests going to and from the Win2k AD server) but as soon as I tried and did the same with a Windows-based client, nothing worked, the Windows box kept asking for a valid user/pass whereas the given ones were correct, and I got the same failed tickets entries in my smbd logs. I solved the problem compiling samba (3.0.7) against Heimdal Kerberos insted of MIT. As far as I understand the problem, this is due to MIT not supporting the kind of encryption the Windows client is using to get the tickets (this explains the problem not occuring with Samba clients). Here is my smb.conf, in case it's needed: - password server = ADVSERV security = ADS realm = EXAMPLE.COM encrypt passwords = yes client use spnego = no username map = /usr/local/samba-ads/lib/username_map workgroup=EXAMPLE auth methods = winbind winbind enum users = yes winbind enum groups = yes idmap uid = 1-2 idmap gid = 1-2 [tmp] path = /tmp browsable = yes writeable = yes preserve case = yes [homes] comment = Home Directories valid users = %S force user = %S writable = yes guest ok = no browseable = no - And (roughly) the process I followed to register the machine was: # kinit [EMAIL PROTECTED] [EMAIL PROTECTED]'s Password: kinit: NOTICE: ticket renewable lifetime is 1 week # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Cache version: 4 Server: krbtgt/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 End time: Oct 29 00:38:00 2004 Renew till: Nov 4 13:38:00 2004 Ticket flags: renewable, initial, pre-authenticated Addresses: IPv4:172.20.0.133 # net ads join Using short domain name -- EXAMPLE Joined 'FOO' to realm 'EXAMPLE.COM' # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Cache version: 4 Server: krbtgt/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 End time: Oct 29 00:38:00 2004 Renew till: Nov 4 13:38:00 2004 Ticket flags: renewable, initial, pre-authenticated Addresses: IPv4:172.20.0.133 Server: [EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 Start time: Oct 28 14:40:10 2004 End time: Oct 29 00:38:00 2004 Ticket flags: pre-authenticated, ok-as-delegate Addresses: IPv4:172.20.0.133 Server: kadmin/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 Start time: Oct 28 14:40:10 2004 End time: Oct 29 00:38:00 2004 Ticket flags: pre-authenticated Addresses: IPv4:172.20.0.133 At this point, I could have Windows-using users connect to the Samba server, and mapped to Unix users thanks to the username map. -- Olivier Mehani [EMAIL PROTECTED] FreeALter Soft/Linbox - Paris http://www.linbox.com pgpbGqpxs4KQA.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket
Hi,
I'm trying to get Samba 3.0.2 working against a Windows 2003 Active
Directory. I can join the Linux box (RedHat Advanced Server) to the
domain using net ads join and it appears in the Windows machine's
Users and Computers snap in but when trying to map a drive from Windows
you just get a continuous password dialog bog and on the Linux box Samba
produces the following error in the Samba log:
Smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
Here is smb.conf:
###
#=== Global Settings
=
[global]
workgroup = w2k3
netbios name = fs
server string = Samba Server
log file = /var/log/samba/smbd.log
max log size = 50
security = ads
realm = W2K3.TEST
client use spnego = yes
use spnego = yes
client signing = yes
server signing = yes
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; local master = no
; os level = 33
dns proxy = no
# Share Definitions
==
[homes]
comment = Home Directories
browseable = no
writable = yes
##
And here's krb5.conf:
##
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
# ticket_lifetime = 24000
default_realm = W2K3.TEST
# dns_lookup_realm = false
# dns_lookup_kdc = false
[realms]
W2K3.TEST = {
kdc = test-dc.w2k3.test:88
admin_server = test-dc.w2k3.test:749
default_domain = w2k3.test
}
[domain_realm]
.w2k3.test = W2K3.TEST
w2k3.test = W2K3.TEST
[kdc]
# profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
##
Thanks,
Mark
--
Mark Warbeck
Systems Engineer
Engineering Science and Mechanics
Virginia Tech
323A Norris Hall
Mail Code 0219
Blacksburg, VA 24061
540.231.7489
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Failed to verify incoming ticket
Hi,
This is probably a problem with your kerberos version.
Try mapping with ip address like this:
C:\ net use t: \\10.10.10.1\teste
_
Nuno Silva
Engineering Solutions / Enterprise Computing
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Warbeck, Mark
Sent: sexta-feira, 30 de Julho de 2004 17:57
To: [EMAIL PROTECTED]
Subject: [Samba] Failed to verify incoming ticket
Hi,
I'm trying to get Samba 3.0.2 working against a Windows 2003 Active
Directory. I can join the Linux box (RedHat Advanced Server) to the
domain using net ads join and it appears in the Windows machine's
Users and Computers snap in but when trying to map a drive from Windows
you just get a continuous password dialog bog and on the Linux box Samba
produces the following error in the Samba log:
Smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
Here is smb.conf:
###
#=== Global Settings
=
[global]
workgroup = w2k3
netbios name = fs
server string = Samba Server
log file = /var/log/samba/smbd.log
max log size = 50
security = ads
realm = W2K3.TEST
client use spnego = yes
use spnego = yes
client signing = yes
server signing = yes
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; local master = no
; os level = 33
dns proxy = no
# Share Definitions
==
[homes]
comment = Home Directories
browseable = no
writable = yes
##
And here's krb5.conf:
##
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
# ticket_lifetime = 24000
default_realm = W2K3.TEST
# dns_lookup_realm = false
# dns_lookup_kdc = false
[realms]
W2K3.TEST = {
kdc = test-dc.w2k3.test:88
admin_server = test-dc.w2k3.test:749
default_domain = w2k3.test
}
[domain_realm]
.w2k3.test = W2K3.TEST
w2k3.test = W2K3.TEST
[kdc]
# profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
##
Thanks,
Mark
--
Mark Warbeck
Systems Engineer
Engineering Science and Mechanics
Virginia Tech
323A Norris Hall
Mail Code 0219
Blacksburg, VA 24061
540.231.7489
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
From: John H Terpstra [mailto:[EMAIL PROTECTED] This possibly means that your version of Kerberos is not able to handle the requirements of the Windows server you are trying to negotiate the join with. If you are using SuSE Linux your samba-3.x should be linked with the latest Heimdal, if Red Hat you need to link against MIT 1.3.1. Thank you John for your help. One more question: why should I use different kerberos-libs on SuSE and RedHat? Exists there a link in the documentation or in your new samba-book? Which version should I use with Debian woody? Or more precise, which feature should the libkrb support (a link to documentation would make me happy)? Thank you Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
On Thu, 27 Nov 2003, Wolfgang Wagner wrote: From: John H Terpstra [mailto:[EMAIL PROTECTED] This possibly means that your version of Kerberos is not able to handle the requirements of the Windows server you are trying to negotiate the join with. If you are using SuSE Linux your samba-3.x should be linked with the latest Heimdal, if Red Hat you need to link against MIT 1.3.1. Thank you John for your help. One more question: why should I use different kerberos-libs on SuSE and RedHat? SuSE ships with Heimdal. For Windows Server 2003 interoperability you need the latest version of Heimdal. Red Hat ships with MIT Kerberos, only MIT version 1.3.1 can work with Windows Server 2003. The 1.2.x versions that ship with Red Hat Linux will not work with Win2003. You can use either Helmdal-0.6+ or MIT 1.3.x - use whichever is easiest for you. You might have a few problems trying to install MIT on top a system that has Heimdal installed already. Exists there a link in the documentation or in your new samba-book? In the book, The Official Samba-3 HOWTO and Reference Guide (aka: Samba-HOWTO-Collection) there are indirect references to the configuration requirements - this will be expanded when either I get some more time, or if someone provides me with a patch to the documentation. The indirect reference is in the section 6.2 of the book, 7.2 of the HOWTO. Which version should I use with Debian woody? Or more precise, which feature should the libkrb support (a link to documentation would make me happy)? It's up to you. I'd use MIT 1.3.1, it takes the least amount of effort to make it work. Cheers, John T. Thank you Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket!
Hello, a few people asked about this problem here, but up to now I have not seen a solution. System: fresh installed Debian Woody with backported packages from backports.org, nothing else, only samba3 running. System ist intended as replacement for our old windows-fileserver. Situation: after installation and configuration all worked well, accessing shares works without password-checking. samba3 authenticates against an ADS, net ads join -U administrator joins the samba-server to the ADS, net ads user -U administrator gives me a list of all ADS-users. Then I updated my system from the original debian-mirrors and backports.org, and now I get this error when a workstation accesses a share. Also on the workstation appears a dialog box and asks for username and password. [2003/11/25 19:19:03, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Winbind was not running. After restarting Winbind and accessing the share again I got in syslog these messages: Nov 26 11:10:05 samba winbindd[26631]: [2003/11/26 11:10:05, 0] nsswitch/winbindd_util.c:rescan_trusted_domains(172) Nov 26 11:10:05 samba winbindd[26631]: rescan_trusted_domains: Can't find my own domain! Nov 26 11:10:50 samba smbd[26636]: [2003/11/26 11:10:50, 0] lib/username.c:map_username(128) Nov 26 11:10:50 samba smbd[26636]: can't open username map /etc/samba/smbusers. Error No such file or directory Ok, /etc/samba/smbusers is missing. But why? I have no idea, where to search further. Please give me any hints. Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to verify incoming ticket!
On Wed, 26 Nov 2003, Wolfgang Wagner wrote: Hello, a few people asked about this problem here, but up to now I have not seen a solution. System: fresh installed Debian Woody with backported packages from backports.org, nothing else, only samba3 running. System ist intended as replacement for our old windows-fileserver. Situation: after installation and configuration all worked well, accessing shares works without password-checking. samba3 authenticates against an ADS, net ads join -U administrator joins the samba-server to the ADS, net ads user -U administrator gives me a list of all ADS-users. Then I updated my system from the original debian-mirrors and backports.org, and now I get this error when a workstation accesses a share. Also on the workstation appears a dialog box and asks for username and password. [2003/11/25 19:19:03, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! This possibly means that your version of Kerberos is not able to handle the requirements of the Windows server you are trying to negotiate the join with. If you are using SuSE Linux your samba-3.x should be linked with the latest Heimdal, if Red Hat you need to link against MIT 1.3.1. Winbind was not running. After restarting Winbind and accessing the share again I got in syslog these messages: Nov 26 11:10:05 samba winbindd[26631]: [2003/11/26 11:10:05, 0] nsswitch/winbindd_util.c:rescan_trusted_domains(172) Nov 26 11:10:05 samba winbindd[26631]: rescan_trusted_domains: Can't find my own domain! Nov 26 11:10:50 samba smbd[26636]: [2003/11/26 11:10:50, 0] lib/username.c:map_username(128) Nov 26 11:10:50 samba smbd[26636]: can't open username map /etc/samba/smbusers. Error No such file or directory Ok, /etc/samba/smbusers is missing. But why? did you create this file? Typical contents are: root = Administrator Cheers, John T. I have no idea, where to search further. Please give me any hints. Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to verify incoming ticket - Samba 3.0 ADS
Hi Folks I have winbind showing all users and groups from my windows 2k3 AD, net ads join worked fine, set up a test share, changed the owner to be something from the AD through winbind and the group to 1 (Domain Users) even chmodded 777 to make sure permissions werent a problem, but I keep getting [2003/11/24 16:52:56, 2] smbd/sesssetup.c:setup_new_vc_session(535) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2003/11/24 16:52:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2003/11/24 16:52:56, 2] smbd/server.c:exit_server(558) Closing connections In the logs, I have to assume this is part of the problem, also if the kinit times out I get nothing and have to reauthenticate, I currently have my pop and imap services authenticating against the AD, but I had to do a lot of buggering about on the w2k3 box with ktpass and such to get it working, so I know that it is possible to authenticate via kerberos against a w2k3AD, with preauthentication turned off. Do I need to change the passdb backend to LDAP? (as well as finding out what problem lies in the kerberos). smb.conf [global] workgroup = AREALM realm = AREALM.COM security = ADS password server = 192.168.0.42 encrypt passwords = yes log level = 2 idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind use default domain = Yes client use spnego = yes [export] comment = Test Share path = /export/test admin users = Administrator read list = AUSER write list = AUSER read only = No create mask = 0700 directory mask = 0700 [EMAIL PROTECTED] export]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@AREALM.COM Valid starting ExpiresService principal 11/24/03 16:30:14 11/25/03 02:28:48 krbtgt/AREALM.COM@AREALM.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Any help greatfully accepted, Rgds Alex Needham Stealth IT Bloke, Intersystems -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
