Bug 1717 - incorrect salt used when generating keberos DES keys
Summary: incorrect salt used when generating keberos DES keys
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.6
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
: 1739 1775 (view as bug list)
Depends on: 1651
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-03 06:41 UTC by thomas constans
Modified: 2005-08-24 10:22 UTC (History)
7 users (show)

See Also:


Attachments
smb.conf (1.28 KB, text/plain)
2004-09-03 07:00 UTC, thomas constans
no flags Details
krb5.conf (675 bytes, text/plain)
2004-09-03 07:02 UTC, thomas constans
no flags Details
Log10 from specific host (42.73 KB, text/plain)
2004-09-11 15:48 UTC, Patrick Hopp
no flags Details
smbd log file (4.41 KB, text/plain)
2004-09-11 15:48 UTC, Patrick Hopp
no flags Details
sambalog 10 from client (141.08 KB, application/octet-stream)
2004-10-07 03:01 UTC, Michael Arlt
no flags Details
Our smb.conf for the last log10 (4.70 KB, text/plain)
2004-10-07 03:02 UTC, Michael Arlt
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description thomas constans 2004-09-03 06:41:45 UTC
plateform: Redhat ES 3.0
samba is member of a win 200 Active Directory
after upgrading from 3.0.4 to 3.0.6 via rhn, user are no longer able to access
shares on samba server.

a login message box keeps popping up
message "failed to verify incoming ticket" in samba logs

i suspect samba upgrade to be responsible because an other server with the same
samba / kerberos configuration and samba 3.0.4 works perfectly
Comment 1 thomas constans 2004-09-03 07:00:35 UTC
Created attachment 638 [details]
smb.conf

here is smb.conf
Comment 2 thomas constans 2004-09-03 07:02:23 UTC
Created attachment 639 [details]
krb5.conf
Comment 3 TJ Horlacher 2004-09-09 06:06:50 UTC
I too have experienced the same issue. After upgrading to 3.0.6 from 3.0.5, 
clients receive access denied on shares. Log shows "failed to decrypt with 
error Bad encryption type". Kinit and klist work properly. This was a server 
that has been working under 3.0.5 flawlessly. Member server, ADS, net ads join 
succeeds. The configuration of this server, krb5 and samba, is the same on 
other servers within organization using 3.0.5. After install of 3.0.6 this 
server is broken.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2004-09-09 06:32:46 UTC
*** Bug 1739 has been marked as a duplicate of this bug. ***
Comment 5 Gerald (Jerry) Carter (dead mail address) 2004-09-10 12:27:26 UTC
Please attach a level 10 debug log of the failure to this report.
(as an attachment.  please do not post it in the comment field).
Thanks.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2004-09-10 12:28:27 UTC
Am not able to reproduce this after joining the domain 
with Samba 3.0.5 and then upgrading to 3.0.6 (SuSE 9.1 pro,
Heimdal 0.61rc3).
Comment 7 Gerald (Jerry) Carter (dead mail address) 2004-09-10 13:15:41 UTC
Here's another comment from the Samba ml.  This may 
not be the same bug though.  It is however another data 
point. 

---- original mail from Jost T <mortonjt@rochester.rr.com> -----
| I've had this problem since a Samba.org .deb package
| upgrade 3.0.5 to 3.0.6 on Debian stable.  Domain is ADS
| Windows 2000 Native - both domain controllers are  W2K
| Server SP4.  I'm using an XP SP2 PC and a Windows 2000
| Server SP4 PC as clients to test (simply because
| they're by my desk).
|
| Yesterday, I set up a fresh test install od debian
| stable (under VMWare) and installed from source MIT
| Kerberos 1.3.4, OpenLDAP 2.2.15, and Samba 3.0.6 to
| see if it was a problem with Debian Stable's older
| kerberos.  But I had the same problem - \\ipaddress
| worked, but \\name didn't.
|
| So I removed Samba 3.0.6 via:
| stopping the daemons
| net ads leave
| make uninstall in the source dir
\> manually deleting /lib/libnss_win*
| manually deleting any samba related files in
| /var/log & /var/run, etc.
|
| I then downloaded and compiled Samba 3.0.5 and
| set it up.  It was working last night, however
| this morning I started having the same problems...
Comment 8 Patrick Hopp 2004-09-11 15:46:38 UTC
Having exact same problem as person who created the ticket.  Redhat AS 3.0, 
samba quit working after recent upgrade from 3.0.4 to 3.0.6.  Will try to post 
to RedHat as well.  Will attach log10 entries shortly.  Went as far as 
uninstalling samba and krb5 from the box and manually compiled krb5 1.3.5 from 
MIT and Samba 3.0.5, 3.0.6, and latest CVS.  Same problem all the way around.  
Samba started misbehaving for me after the large "quarterly update" from 
RedHat..  Upgraded a bunch of packages, could be a one of the other packages 
that were upgraded killed Samba, but I'm not technical enough to determine 
which one.
Comment 9 Patrick Hopp 2004-09-11 15:48:13 UTC
Created attachment 645 [details]
Log10 from specific host

This is from the /var/log/samba/<machineIP>.log
Comment 10 Patrick Hopp 2004-09-11 15:48:33 UTC
Created attachment 646 [details]
smbd log file

Log10 from smbd
Comment 11 Patrick Hopp 2004-09-13 06:04:55 UTC
Got a response from RedHat, Doesn't help the other OS people very much:

Red Hat is aware of the problem and we are currently investigating a fix for 
the issue. As a workaround, we recommend that customers revert back to the 
previous samba release, 3.0.4 for now. If you have a support contract with Red 
Hat, please feel free to open a trouble ticket at 
http://www.redhat.com/support/ to have your problem resolved. Kent Baxley   
Comment 12 TAKAHASHI Motonobu 2004-09-21 06:31:46 UTC
I met the same problem on Samba 3.0.7

-----
[2004/09/21 19:28:36, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt 
integrity check failed
[2004/09/21 19:28:36, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2004/09/21 19:28:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/09/21 19:28:36, 3] smbd/error.c:error_packet(105)
  error string = No such file or directory
[2004/09/21 19:28:36, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
----------

The problem will occur when the KDC(DC)'s name cannot be resolved with DNS.
Setting /etc/resolv.conf correctly to resolve the KDC's name, restart smbd/nmbd 
and re-login from Windows, I can connect to the Samba server.
Comment 13 Patrick Hopp 2004-09-23 11:20:21 UTC
I did the RHN update today to 3.0.7 and it appears to be 'fixed'
Comment 14 Frederic leger 2004-09-24 02:14:59 UTC
I'm the final user. And RPM samba 3.0.7-1.3E correct completely this bug. This
bug can be close.
Comment 15 Richard de Vroede 2004-09-24 03:34:49 UTC
This is not a RedHat only issue. I'm experiencing this in Debian. 
 
This is the culprit: 
[2004/09/21 19:28:36, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(193) 
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed 
 
Somehow the des-cbc-md5 decryption is failing. krb5_rd_req fails to return the decrypted ticket. 
Most likely because of wrong parameters. 
 
I first suspected the pre-execution of the new keytab code garbling up the ticket, but disabling the 
parameter in smb.conf with "use kerberos keytab = no" provided the same results. 
 
Providing the server's name in /etc/hosts makes no difference except for the name_to_fqdn 
function to succeed instead of fail. 
 
Comment 16 Levente Farkas 2004-09-27 01:46:15 UTC
we also use rhel 3.0 with samba-3.0.7-1.3E but the bug do NOT disappear! so this
bug has to be open. or should someone tell me what else can we do to fix this bug?
Comment 17 Richard de Vroede 2004-09-29 07:51:51 UTC
Upgrading to 3.0.8pre1 from SVN fixed this issue for me.

Sadly I'm stuck now with leaving and joining groups not obeying permissions, but
that's a different story, ehrm, bug.
Comment 18 Patrick Hopp 2004-09-30 17:13:35 UTC
Ok..  I was wrong, it worked for about an hour...   It's dead again.  Not a 
clue what's causing it..   Can still access \\<ip addy>
Comment 19 Levente Farkas 2004-10-01 03:19:37 UTC
we find a workaround!
since we recognize that the "netbios aliases" names are working (ie. with
\\alias\) while the "netbios name" are not (ie. just with \\<ip address>\). we
simple rename the sambe server, join to the domain, and add the original name as
another "netbios aliases". so now all clients working and see the samba server
as before (we just has one more name the current netbios name in the domain and
it's not working by name).
Comment 20 TJ Horlacher 2004-10-04 08:12:48 UTC
In our case the access denied / kerberos invalid ticket issue with samba later
than 3.0.5 was being caused from using single quotes instead of double quotes
within the smb.conf file. i.e. valid users="domain\domain users" instead of
'domain\domain users'.

Comment 21 Levente Farkas 2004-10-04 14:35:13 UTC
we don't have any quotes anywhere in the conf file, so it can not be the reason
in our case:-(
Comment 22 Michael Arlt 2004-10-07 03:01:36 UTC
Created attachment 704 [details]
sambalog 10 from client

We have two domains: universa (ads 2003) and universa.hv (a trusted nt4
domain).
User universa\deda logs on to domain universa (ad-servers ads1, ads2, ads3).
A loginscript mounts several network drives from \\servgs25.
When mounting the first drive (\\servgs25\prog) he is prompted for username and
password (approximately at 09:59:nn). The loginscript hangs (waiting for
password). After half an hour he pressed "return" in the DOS-box. Now he gets
all other drives mounted. This happens sporadic.
Comment 23 Michael Arlt 2004-10-07 03:02:12 UTC
Created attachment 705 [details]
Our smb.conf for the last log10
Comment 24 Michael Arlt 2004-10-07 03:04:11 UTC
Comment on attachment 704 [details]
sambalog 10 from client

Samba 3.0.7 packages from samba.org on Debian Woody (up to date)
Comment 25 Guenther Deschner 2004-10-07 09:21:06 UTC
reproduced with SuSE 9.1, samba3.0.8pre2, heimdal-0.6.1rc3 + various fixes and
win2k sp4.
Comment 26 Alexander Kolesnik 2004-10-08 07:37:59 UTC
Got this problem too on Fedora Core 2, Samba 3.0.7, standard (for FC2) Kerberos5
libs.
The most strange thing is that I can connect to shares from W2K, W2K3, WinXP
(_not_ a domain member), but cannot from WinXP (domain member)!

Here is a log10 part:
[2004/10/08 18:18:36, 10] lib/util.c:name_to_fqdn(2442)
  name_to_fqdn: lookup for MASTER -> master.mydomain.com.
[2004/10/08 18:18:36, 10] passdb/secrets.c:secrets_named_mutex(702)
  secrets_named_mutex: got mutex for replay cache mutex
[2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad
encryption type
[2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/10/08 18:18:36, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/10/08 18:18:36, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
  ads_secrets_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/10/08 18:18:36, 10] passdb/secrets.c:secrets_named_mutex_release(714)
  secrets_named_mutex: released mutex for replay cache mutex
[2004/10/08 18:18:36, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2004/10/08 18:18:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
  Failed to verify incoming ticket!
[2004/10/08 18:18:36, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Comment 27 Mark R 2004-10-08 14:47:22 UTC
Hello I was having this same problem for a few hours, on Debian 3.1. After
beating my head up against the wall, I noticed this

[2004/10/08 21:41:05, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Clock skew too great

in the winbindd log file. 

I then checked the date (newly installed system) and found it to be a few hours
ahead of the normal time. Running ntpdate fixed my issue. I hope this helps
someone else fix their problem
Comment 28 step 2004-10-10 08:57:50 UTC
*** Bug 1775 has been marked as a duplicate of this bug. ***
Comment 29 Joshua Weage 2004-10-20 07:26:20 UTC
I just tried going back to the original RHEL 3 samba, krb5 and openldap
packages, and I still get the same problem described here.  Trying to access
\\netbios\share doesn't work, while \\ip\share does.

Is this actually a problem with one of the supporting libraries not samba?  What
does samba do differently when accessing \\netbios\ compared to \\ip\?

Comment 30 Joshua Weage 2004-10-20 11:56:32 UTC
I don't understand this at all.  I installed stock RHEL 3 AS and tried
connecting samba to an AD domain and it worked fine.  I then started upgrading
all packages that appeared relevant to samba.  I've upgraded samba, openldap,
krb5, cups, openssl, laus-libs, pam, glibc, cyrus-sasl, shadow-utils and the
kernel.  After doing so, samba still works.  Finally, I upgraded all the
packages on the machine and samba still works correctly!

My real RHEL 3 server machine displays the problems mentioned above.  I've tried
going back to the original versions of samba, openldap and krb5, and still get
the netbios name errors.

The only difference between the two machines are their DNS domains.  The one
that doesn't work is in global.company.com, the one that does work is in
clients.global.company.com.  I'm going to change domains and see if that has any
effect.

Comment 31 Shane McMaster 2004-10-20 15:06:09 UTC
The problem here is that client machines look up the computer in AD and finds a
CIFS kerberos service principal (SPN) listed against it and try and connect
using krb (Which fails). When connecting to IP or an alias there is no SPN and
the client uses NTLMSSP for authentication.

Check weather the RHES server in your working domain has a CIFS SPN for the
server. For a workaround you can create a netbios alias on the server and
connect to that by name, or you can try removing the CIFS SPN for your server (I
haven't tested this - but it should work)
Comment 32 Joshua Weage 2004-10-21 07:12:46 UTC
Thank you for the response.

Adding an alias in WINS does solve the problem.  My company uses a
global.company.com AD domain.  Putting the server into the
clients.global.company.com DNS domain fixes the problem as well  - I'm not sure
why this is the case, as the AD entry doesn't change.  We are not using
Microsoft DNS.

So is the problem with the kerberos libraries or samba?  I've seen reports that
MIT kerberos 1.3.x still doesn't solve the problem.  I'm trying to find a
solution to make my existing server work correctly, but haven't found one yet.
Comment 33 Shane McMaster 2004-10-21 14:26:08 UTC
A little bit of googling revealed this recently posted patch along with an
explanation

http://people.redhat.com/nalin/test/samba-3.0.8pre1-salt-3.patch

Basically it boils down to: Unjoin your server from the domain and make sure the
domain account is completely gone in AD users and computers and then rejoin it.
This is the course of action I will try since I had the problem when I moved
from 3.0.4 -> 3.0.7 and I have upgraded my krb5 libs to 1.3.x to try and resolve
my issues.

Otherwise you could try upgrading to 3.0.8pre1 from Redhat or backporting the
patch to 3.0.7

I will report back with any successes or failures.
Comment 34 Patrick Hopp 2004-10-27 05:29:31 UTC
The patch seems to come from a person at RedHat..  Does that mean it will make 
it into samba-3.0.8 from samba or will it be in the RedHat release only?  Or 
will it even make it into 3.0.8?
Comment 35 Gerald (Jerry) Carter (dead mail address) 2004-10-27 06:47:07 UTC
Jeremy is working on it.  But the patch only works 
with MIT krb5.  So we will have to make it compatible 
with Heimdal before it makes it into the final Samba 
release.  We're shooting for having it in 3.0.8.
Comment 36 Joshua Weage 2004-10-27 07:58:02 UTC
As a temporary workaround for the problem, deleting all of the
servicePrincipalName entries for the Samba server does work, as suggested
previously.

Comment 37 Patrick Hopp 2004-11-13 12:57:25 UTC
Still having problems with 3.0.8 release...  Compiled myself...

-------- Join Command Line ---------
[root@kpride root]# /opt/samba/bin/net ads join -U phopp
phopp's password:
Using short domain name -- ADMIN
[2004/11/13 14:36:33, 0] libads/kerberos.c:get_service_ticket(335)
  get_service_ticket: kerberos_kinit_password 
BEAST$@ADMIN.MTU.EDU@ADMIN.MTU.EDU failed: Client not found in Kerberos database
Segmentation fault

---------
phopp is a enterprise/domain admin.

---------------- 

--------   Config line -------
./configure --prefix=/opt/samba --with-quotas --with-ads --with-ldap --with-
smbwrapper

---------  Output from log.smbd ---------
[2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!


----- Active Directory/LDAP entry that DOES show up after the net ads join 
command even though it segfaults  -------

#-------------------------------------------------------------------------------
# This file has been generated on 11.13.2004 at 14:50 from 
fabfour.admin.mtu.edu:389
# by Softerra LDAP Browser 2.6 (http://www.ldapbrowser.com)
#-------------------------------------------------------------------------------
version: 1
dn: CN=beast,CN=Computers,DC=admin,DC=mtu,DC=edu
accountExpires: 9223372036854775807
codePage: 0
cn: beast
countryCode: 0
dNSHostName: beast.admin.mtu.edu
instanceType: 4
isCriticalSystemObject: FALSE
lastLogon: 127448483601013750
logonCount: 2
distinguishedName: CN=beast,CN=Computers,DC=admin,DC=mtu,DC=edu
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=admin,DC=mtu,DC=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectGUID:: - REMOVED -
objectSid:: - REMOVED -
operatingSystem: Samba
operatingSystemVersion: 3.0.8
primaryGroupID: 515
pwdLastSet: 127448481927986408
name: beast
sAMAccountName: beast$
sAMAccountType: 805306369
servicePrincipalName: CIFS/beast.admin.mtu.edu
servicePrincipalName: CIFS/beast
servicePrincipalName: HOST/beast.admin.mtu.edu
servicePrincipalName: HOST/beast
userAccountControl: 2166784
userPrincipalName: HOST/beast@ADMIN.MTU.EDU
uSNChanged: 11430102
uSNCreated: 11430102
whenChanged: 20041113193754.0Z
whenCreated: 20041113193632.0Z
createTimeStamp: 20041113193632.0Z
modifyTimeStamp: 20041113193754.0Z
subSchemaSubEntry: 
CN=Aggregate,CN=Schema,CN=Configuration,DC=admin,DC=mtu,DC=edu
Comment 38 Johann Hanne 2004-11-15 07:50:53 UTC
Yes, still the same with 3.0.8. It seems like some parts of the RedHat patch 
have been applied, but not everything. Removing the "servicePrincipalName" 
entries from the domain machine account helps as already reported.
Comment 39 Jeremy Allison 2004-11-15 11:39:18 UTC
Check your setup. "some parts of the RedHat patch have been applied, but not
everything" was intentional, as parts of the RedHat patch were incorrect (not to
critise the author who did a wonderful job, but he was working on MIT only, we
have to work on MIT and Heimdal). This code was tested for 3.0.8 and has been
reported to work well by a number of sites.
Jeremy.
Comment 40 step 2004-11-18 20:13:19 UTC
Hello,
Exactly the same behavior as discribed by patrick and Johann.
The same segfault while trying the net ads join "OU" 
and the same host$@REALM@REALM odd error message.
and the same 
[2004/11/13 14:39:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
while trying to access the share.
I had continued my investigation on this and I found some other odd behavior
that may help us solve this problem:
   -wbinfo (-u and -g) works without any problem but the "getent passwd" does
only answer the "files" part of my /etc/nsswitch.conf whereas there is a
"winbind" option added to the right lines.
  - The klist command does not show any kerberos ticket granting ticket ( the
kbtgt line ) and no service ( host/ or cifs/) associated after the net ads 's
segfault. I think it's the reason why spnego fail. In what i understood of the
kerberos protocol,without ticket granting ticket you can not verify any ticket
incoming.
  - This is not a failure while creating the host in AD. when running a setspn
command on my AD ( it shows the service principal names associated to an host)
the host and the CIFS principals are there. It's really a problem while trying
to retrieve them to the remote host
   - This is not linked to the name of the host. I changed him so as to
eliminate any garbage due to my many attemps with the "-n" option of the net
command without more success.
    - It's not due to the --with-quotas and --with-smbwrapper because i have the
same problem and i do not use these options.
    - I also created an existing account directly in the AD and tried to join
it. It also fails but there is an interesting information given : It finds the
host@REALM account to use it and do not search the HOST@REALM@REALM like while
trying to get the principals. So I think there is a something odd in the
get_service_ticket call.

The var used in this call is machine_account created by the call :

asprintf(&machine_account, "%s$@%s", global_myname(), lp_realm());
	if (machine_account == NULL) {
		goto out;
	}
used in this call 

if ((err = kerberos_kinit_password(machine_account, password, 0, NULL,
LIBADS_CCACHE_NAME)) != 0) {
		DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n", 
			machine_account,
			lp_realm(),
			error_message(err)));
		goto out;
	}

So in our case lp_realm() seems to return REALM@REALM. I do not know where to
search further ... 

for the conf, i followed in the main line ( i run a redhat 9 ) the howto from
gentoo you can find at
http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain

Comment 41 juer 2004-11-24 20:10:50 UTC
I have experienced a simliar issue since Samba 3.0.2.

My current system is Samba 3.0.9 + Kerberos 1.3.5 + Fedora Core 3 system.
Steps to reproduce the issue:
1. The server join a Win2k AD, the share can be accessed via hostname or IP 
address without any problems from a Win2k client which is in the domain ( no 
username & password are required )
2. The server leaves ADS ( I called 'net ads leave' without any errors )
3. Rejoin the same Win2k AD
4. When I try to access the same share via the hostname from the same Win2k 
client, the username and password are required, though it won't work even I 
input correct password
5. The share can still be accessed via IP address without any problems ( no 
username & password are required )
6. Log off the Win2k client, then log in again, the share can be accessed via 
hostname without any problems again

I checked the logs, see some errors like "Failed to verify incoming ticket" too.

The point is the different behaviour on the 1st join and 2nd join.
Comment 42 step 2004-11-25 15:13:54 UTC
After months of fighting ... perhaps the end of the tunnel !

Re done an install using samba 3.09 source on my redhat 9 krb5 1.27 distrib.
Once the bug 2035 corrected ( the net ads join ). the patch really done it's job
The segfault and the REALM@REALM has been corrected. Same thing for the getent
passwd and getent group.
After some other changes on the $MANPATH, $PATH, and of course the /etc/pam.d 
scripts  and the smb.conf and krb5.confs file only the 
[2004/09/21 19:28:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
remains.
While searching a solution I found an interesting bug message in my windows log
: "Conflicting principals...." So I changes my client PC ( using the same client
OS with the same patch level) and ... everything works !!!!!
I think due to my intensive testing of the last weeks, the installs/uninstalls
done, some mess has occured with my credentials, but the install works for
everybody except me. I found this just before going home today. I will verify
everything tomorrow and if I'm true, I'll try to give you some piece of
infomation that may help you.
Comment 43 step 2004-11-25 15:16:31 UTC
sorry... that was the 2036 bug. Oups :-)
Comment 44 step 2004-11-28 17:27:51 UTC
All verifications done, all is working without fault.
The shutdown of my PC has corrected the mess about my profile.
Thanks for all people in the samba team and others for 
this great job.
Is someone still there needing help ?
Comment 45 Gerald (Jerry) Carter (dead mail address) 2004-11-28 20:55:48 UTC
The original bug reported here has been fixed to the best 
of our knowledge (using an incorrect salt when generating
the DES keys) and based on feedback from the original reporters.

I'm closing this one out so that it doesn't become a catch 
all for kerberos bugs and/or misconfigurations.  New bugs 
reports are welcome (generally on a per person basis to keep 
the details clear).
Comment 46 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:22:57 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.