plateform: Redhat ES 3.0 samba is member of a win 200 Active Directory after upgrading from 3.0.4 to 3.0.6 via rhn, user are no longer able to access shares on samba server. a login message box keeps popping up message "failed to verify incoming ticket" in samba logs i suspect samba upgrade to be responsible because an other server with the same samba / kerberos configuration and samba 3.0.4 works perfectly
Created attachment 638 [details] smb.conf here is smb.conf
Created attachment 639 [details] krb5.conf
I too have experienced the same issue. After upgrading to 3.0.6 from 3.0.5, clients receive access denied on shares. Log shows "failed to decrypt with error Bad encryption type". Kinit and klist work properly. This was a server that has been working under 3.0.5 flawlessly. Member server, ADS, net ads join succeeds. The configuration of this server, krb5 and samba, is the same on other servers within organization using 3.0.5. After install of 3.0.6 this server is broken.
*** Bug 1739 has been marked as a duplicate of this bug. ***
Please attach a level 10 debug log of the failure to this report. (as an attachment. please do not post it in the comment field). Thanks.
Am not able to reproduce this after joining the domain with Samba 3.0.5 and then upgrading to 3.0.6 (SuSE 9.1 pro, Heimdal 0.61rc3).
Here's another comment from the Samba ml. This may not be the same bug though. It is however another data point. ---- original mail from Jost T <mortonjt@rochester.rr.com> ----- | I've had this problem since a Samba.org .deb package | upgrade 3.0.5 to 3.0.6 on Debian stable. Domain is ADS | Windows 2000 Native - both domain controllers are W2K | Server SP4. I'm using an XP SP2 PC and a Windows 2000 | Server SP4 PC as clients to test (simply because | they're by my desk). | | Yesterday, I set up a fresh test install od debian | stable (under VMWare) and installed from source MIT | Kerberos 1.3.4, OpenLDAP 2.2.15, and Samba 3.0.6 to | see if it was a problem with Debian Stable's older | kerberos. But I had the same problem - \\ipaddress | worked, but \\name didn't. | | So I removed Samba 3.0.6 via: | stopping the daemons | net ads leave | make uninstall in the source dir \> manually deleting /lib/libnss_win* | manually deleting any samba related files in | /var/log & /var/run, etc. | | I then downloaded and compiled Samba 3.0.5 and | set it up. It was working last night, however | this morning I started having the same problems...
Having exact same problem as person who created the ticket. Redhat AS 3.0, samba quit working after recent upgrade from 3.0.4 to 3.0.6. Will try to post to RedHat as well. Will attach log10 entries shortly. Went as far as uninstalling samba and krb5 from the box and manually compiled krb5 1.3.5 from MIT and Samba 3.0.5, 3.0.6, and latest CVS. Same problem all the way around. Samba started misbehaving for me after the large "quarterly update" from RedHat.. Upgraded a bunch of packages, could be a one of the other packages that were upgraded killed Samba, but I'm not technical enough to determine which one.
Created attachment 645 [details] Log10 from specific host This is from the /var/log/samba/<machineIP>.log
Created attachment 646 [details] smbd log file Log10 from smbd
Got a response from RedHat, Doesn't help the other OS people very much: Red Hat is aware of the problem and we are currently investigating a fix for the issue. As a workaround, we recommend that customers revert back to the previous samba release, 3.0.4 for now. If you have a support contract with Red Hat, please feel free to open a trouble ticket at http://www.redhat.com/support/ to have your problem resolved. Kent Baxley
I met the same problem on Samba 3.0.7 ----- [2004/09/21 19:28:36, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2004/09/21 19:28:36, 3] libads/kerberos_verify.c:ads_verify_ticket(307) ads_verify_ticket: krb5_rd_req with auth failed (Success) [2004/09/21 19:28:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/09/21 19:28:36, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/09/21 19:28:36, 3] smbd/error.c:error_packet(129) error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE ---------- The problem will occur when the KDC(DC)'s name cannot be resolved with DNS. Setting /etc/resolv.conf correctly to resolve the KDC's name, restart smbd/nmbd and re-login from Windows, I can connect to the Samba server.
I did the RHN update today to 3.0.7 and it appears to be 'fixed'
I'm the final user. And RPM samba 3.0.7-1.3E correct completely this bug. This bug can be close.
This is not a RedHat only issue. I'm experiencing this in Debian. This is the culprit: [2004/09/21 19:28:36, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed Somehow the des-cbc-md5 decryption is failing. krb5_rd_req fails to return the decrypted ticket. Most likely because of wrong parameters. I first suspected the pre-execution of the new keytab code garbling up the ticket, but disabling the parameter in smb.conf with "use kerberos keytab = no" provided the same results. Providing the server's name in /etc/hosts makes no difference except for the name_to_fqdn function to succeed instead of fail.
we also use rhel 3.0 with samba-3.0.7-1.3E but the bug do NOT disappear! so this bug has to be open. or should someone tell me what else can we do to fix this bug?
Upgrading to 3.0.8pre1 from SVN fixed this issue for me. Sadly I'm stuck now with leaving and joining groups not obeying permissions, but that's a different story, ehrm, bug.
Ok.. I was wrong, it worked for about an hour... It's dead again. Not a clue what's causing it.. Can still access \\<ip addy>
we find a workaround! since we recognize that the "netbios aliases" names are working (ie. with \\alias\) while the "netbios name" are not (ie. just with \\<ip address>\). we simple rename the sambe server, join to the domain, and add the original name as another "netbios aliases". so now all clients working and see the samba server as before (we just has one more name the current netbios name in the domain and it's not working by name).
In our case the access denied / kerberos invalid ticket issue with samba later than 3.0.5 was being caused from using single quotes instead of double quotes within the smb.conf file. i.e. valid users="domain\domain users" instead of 'domain\domain users'.
we don't have any quotes anywhere in the conf file, so it can not be the reason in our case:-(
Created attachment 704 [details] sambalog 10 from client We have two domains: universa (ads 2003) and universa.hv (a trusted nt4 domain). User universa\deda logs on to domain universa (ad-servers ads1, ads2, ads3). A loginscript mounts several network drives from \\servgs25. When mounting the first drive (\\servgs25\prog) he is prompted for username and password (approximately at 09:59:nn). The loginscript hangs (waiting for password). After half an hour he pressed "return" in the DOS-box. Now he gets all other drives mounted. This happens sporadic.
Created attachment 705 [details] Our smb.conf for the last log10
Comment on attachment 704 [details] sambalog 10 from client Samba 3.0.7 packages from samba.org on Debian Woody (up to date)
reproduced with SuSE 9.1, samba3.0.8pre2, heimdal-0.6.1rc3 + various fixes and win2k sp4.
Got this problem too on Fedora Core 2, Samba 3.0.7, standard (for FC2) Kerberos5 libs. The most strange thing is that I can connect to shares from W2K, W2K3, WinXP (_not_ a domain member), but cannot from WinXP (domain member)! Here is a log10 part: [2004/10/08 18:18:36, 10] lib/util.c:name_to_fqdn(2442) name_to_fqdn: lookup for MASTER -> master.mydomain.com. [2004/10/08 18:18:36, 10] passdb/secrets.c:secrets_named_mutex(702) secrets_named_mutex: got mutex for replay cache mutex [2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type [2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type [2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2004/10/08 18:18:36, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) ads_secrets_verify_ticket: enc type [2] failed to decrypt with error Bad encryption type [2004/10/08 18:18:36, 10] passdb/secrets.c:secrets_named_mutex_release(714) secrets_named_mutex: released mutex for replay cache mutex [2004/10/08 18:18:36, 3] libads/kerberos_verify.c:ads_verify_ticket(307) ads_verify_ticket: krb5_rd_req with auth failed (Success) [2004/10/08 18:18:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/10/08 18:18:36, 3] smbd/error.c:error_packet(129) error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
Hello I was having this same problem for a few hours, on Debian 3.1. After beating my head up against the wall, I noticed this [2004/10/08 21:41:05, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759) Kinit failed: Clock skew too great in the winbindd log file. I then checked the date (newly installed system) and found it to be a few hours ahead of the normal time. Running ntpdate fixed my issue. I hope this helps someone else fix their problem
*** Bug 1775 has been marked as a duplicate of this bug. ***
I just tried going back to the original RHEL 3 samba, krb5 and openldap packages, and I still get the same problem described here. Trying to access \\netbios\share doesn't work, while \\ip\share does. Is this actually a problem with one of the supporting libraries not samba? What does samba do differently when accessing \\netbios\ compared to \\ip\?
I don't understand this at all. I installed stock RHEL 3 AS and tried connecting samba to an AD domain and it worked fine. I then started upgrading all packages that appeared relevant to samba. I've upgraded samba, openldap, krb5, cups, openssl, laus-libs, pam, glibc, cyrus-sasl, shadow-utils and the kernel. After doing so, samba still works. Finally, I upgraded all the packages on the machine and samba still works correctly! My real RHEL 3 server machine displays the problems mentioned above. I've tried going back to the original versions of samba, openldap and krb5, and still get the netbios name errors. The only difference between the two machines are their DNS domains. The one that doesn't work is in global.company.com, the one that does work is in clients.global.company.com. I'm going to change domains and see if that has any effect.
The problem here is that client machines look up the computer in AD and finds a CIFS kerberos service principal (SPN) listed against it and try and connect using krb (Which fails). When connecting to IP or an alias there is no SPN and the client uses NTLMSSP for authentication. Check weather the RHES server in your working domain has a CIFS SPN for the server. For a workaround you can create a netbios alias on the server and connect to that by name, or you can try removing the CIFS SPN for your server (I haven't tested this - but it should work)
Thank you for the response. Adding an alias in WINS does solve the problem. My company uses a global.company.com AD domain. Putting the server into the clients.global.company.com DNS domain fixes the problem as well - I'm not sure why this is the case, as the AD entry doesn't change. We are not using Microsoft DNS. So is the problem with the kerberos libraries or samba? I've seen reports that MIT kerberos 1.3.x still doesn't solve the problem. I'm trying to find a solution to make my existing server work correctly, but haven't found one yet.
A little bit of googling revealed this recently posted patch along with an explanation http://people.redhat.com/nalin/test/samba-3.0.8pre1-salt-3.patch Basically it boils down to: Unjoin your server from the domain and make sure the domain account is completely gone in AD users and computers and then rejoin it. This is the course of action I will try since I had the problem when I moved from 3.0.4 -> 3.0.7 and I have upgraded my krb5 libs to 1.3.x to try and resolve my issues. Otherwise you could try upgrading to 3.0.8pre1 from Redhat or backporting the patch to 3.0.7 I will report back with any successes or failures.
The patch seems to come from a person at RedHat.. Does that mean it will make it into samba-3.0.8 from samba or will it be in the RedHat release only? Or will it even make it into 3.0.8?
Jeremy is working on it. But the patch only works with MIT krb5. So we will have to make it compatible with Heimdal before it makes it into the final Samba release. We're shooting for having it in 3.0.8.
As a temporary workaround for the problem, deleting all of the servicePrincipalName entries for the Samba server does work, as suggested previously.
Still having problems with 3.0.8 release... Compiled myself... -------- Join Command Line --------- [root@kpride root]# /opt/samba/bin/net ads join -U phopp phopp's password: Using short domain name -- ADMIN [2004/11/13 14:36:33, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password BEAST$@ADMIN.MTU.EDU@ADMIN.MTU.EDU failed: Client not found in Kerberos database Segmentation fault --------- phopp is a enterprise/domain admin. ---------------- -------- Config line ------- ./configure --prefix=/opt/samba --with-quotas --with-ads --with-ldap --with- smbwrapper --------- Output from log.smbd --------- [2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! ----- Active Directory/LDAP entry that DOES show up after the net ads join command even though it segfaults ------- #------------------------------------------------------------------------------- # This file has been generated on 11.13.2004 at 14:50 from fabfour.admin.mtu.edu:389 # by Softerra LDAP Browser 2.6 (http://www.ldapbrowser.com) #------------------------------------------------------------------------------- version: 1 dn: CN=beast,CN=Computers,DC=admin,DC=mtu,DC=edu accountExpires: 9223372036854775807 codePage: 0 cn: beast countryCode: 0 dNSHostName: beast.admin.mtu.edu instanceType: 4 isCriticalSystemObject: FALSE lastLogon: 127448483601013750 logonCount: 2 distinguishedName: CN=beast,CN=Computers,DC=admin,DC=mtu,DC=edu objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=admin,DC=mtu,DC=edu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer objectGUID:: - REMOVED - objectSid:: - REMOVED - operatingSystem: Samba operatingSystemVersion: 3.0.8 primaryGroupID: 515 pwdLastSet: 127448481927986408 name: beast sAMAccountName: beast$ sAMAccountType: 805306369 servicePrincipalName: CIFS/beast.admin.mtu.edu servicePrincipalName: CIFS/beast servicePrincipalName: HOST/beast.admin.mtu.edu servicePrincipalName: HOST/beast userAccountControl: 2166784 userPrincipalName: HOST/beast@ADMIN.MTU.EDU uSNChanged: 11430102 uSNCreated: 11430102 whenChanged: 20041113193754.0Z whenCreated: 20041113193632.0Z createTimeStamp: 20041113193632.0Z modifyTimeStamp: 20041113193754.0Z subSchemaSubEntry: CN=Aggregate,CN=Schema,CN=Configuration,DC=admin,DC=mtu,DC=edu
Yes, still the same with 3.0.8. It seems like some parts of the RedHat patch have been applied, but not everything. Removing the "servicePrincipalName" entries from the domain machine account helps as already reported.
Check your setup. "some parts of the RedHat patch have been applied, but not everything" was intentional, as parts of the RedHat patch were incorrect (not to critise the author who did a wonderful job, but he was working on MIT only, we have to work on MIT and Heimdal). This code was tested for 3.0.8 and has been reported to work well by a number of sites. Jeremy.
Hello, Exactly the same behavior as discribed by patrick and Johann. The same segfault while trying the net ads join "OU" and the same host$@REALM@REALM odd error message. and the same [2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! while trying to access the share. I had continued my investigation on this and I found some other odd behavior that may help us solve this problem: -wbinfo (-u and -g) works without any problem but the "getent passwd" does only answer the "files" part of my /etc/nsswitch.conf whereas there is a "winbind" option added to the right lines. - The klist command does not show any kerberos ticket granting ticket ( the kbtgt line ) and no service ( host/ or cifs/) associated after the net ads 's segfault. I think it's the reason why spnego fail. In what i understood of the kerberos protocol,without ticket granting ticket you can not verify any ticket incoming. - This is not a failure while creating the host in AD. when running a setspn command on my AD ( it shows the service principal names associated to an host) the host and the CIFS principals are there. It's really a problem while trying to retrieve them to the remote host - This is not linked to the name of the host. I changed him so as to eliminate any garbage due to my many attemps with the "-n" option of the net command without more success. - It's not due to the --with-quotas and --with-smbwrapper because i have the same problem and i do not use these options. - I also created an existing account directly in the AD and tried to join it. It also fails but there is an interesting information given : It finds the host@REALM account to use it and do not search the HOST@REALM@REALM like while trying to get the principals. So I think there is a something odd in the get_service_ticket call. The var used in this call is machine_account created by the call : asprintf(&machine_account, "%s$@%s", global_myname(), lp_realm()); if (machine_account == NULL) { goto out; } used in this call if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, LIBADS_CCACHE_NAME)) != 0) { DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n", machine_account, lp_realm(), error_message(err))); goto out; } So in our case lp_realm() seems to return REALM@REALM. I do not know where to search further ... for the conf, i followed in the main line ( i run a redhat 9 ) the howto from gentoo you can find at http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain
I have experienced a simliar issue since Samba 3.0.2. My current system is Samba 3.0.9 + Kerberos 1.3.5 + Fedora Core 3 system. Steps to reproduce the issue: 1. The server join a Win2k AD, the share can be accessed via hostname or IP address without any problems from a Win2k client which is in the domain ( no username & password are required ) 2. The server leaves ADS ( I called 'net ads leave' without any errors ) 3. Rejoin the same Win2k AD 4. When I try to access the same share via the hostname from the same Win2k client, the username and password are required, though it won't work even I input correct password 5. The share can still be accessed via IP address without any problems ( no username & password are required ) 6. Log off the Win2k client, then log in again, the share can be accessed via hostname without any problems again I checked the logs, see some errors like "Failed to verify incoming ticket" too. The point is the different behaviour on the 1st join and 2nd join.
After months of fighting ... perhaps the end of the tunnel ! Re done an install using samba 3.09 source on my redhat 9 krb5 1.27 distrib. Once the bug 2035 corrected ( the net ads join ). the patch really done it's job The segfault and the REALM@REALM has been corrected. Same thing for the getent passwd and getent group. After some other changes on the $MANPATH, $PATH, and of course the /etc/pam.d scripts and the smb.conf and krb5.confs file only the [2004/09/21 19:28:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! remains. While searching a solution I found an interesting bug message in my windows log : "Conflicting principals...." So I changes my client PC ( using the same client OS with the same patch level) and ... everything works !!!!! I think due to my intensive testing of the last weeks, the installs/uninstalls done, some mess has occured with my credentials, but the install works for everybody except me. I found this just before going home today. I will verify everything tomorrow and if I'm true, I'll try to give you some piece of infomation that may help you.
sorry... that was the 2036 bug. Oups :-)
All verifications done, all is working without fault. The shutdown of my PC has corrected the mess about my profile. Thanks for all people in the samba team and others for this great job. Is someone still there needing help ?
The original bug reported here has been fixed to the best of our knowledge (using an incorrect salt when generating the DES keys) and based on feedback from the original reporters. I'm closing this one out so that it doesn't become a catch all for kerberos bugs and/or misconfigurations. New bugs reports are welcome (generally on a per person basis to keep the details clear).
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.