Bug 5810 - Kerberos working on samba 3.2.3 PDC, but failing when joining the domain
Summary: Kerberos working on samba 3.2.3 PDC, but failing when joining the domain
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.2.3
Hardware: x86 Linux
: P3 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
Depends on:
Reported: 2008-10-06 05:34 UTC by Juan Miguel Corral
Modified: 2009-10-21 09:38 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Juan Miguel Corral 2008-10-06 05:34:34 UTC
Hello. I have a 3.2.3 Samba-LDAP PDC which shares the database with heimdal (so samba passwords are also kerberos passwords). I am able to use kerberos credentials to connect to the PDC shares with "smbclient -k", both on the server and linux workstations.

The problem is that, as soon as I try to join the PDC to its own domain (with "net join"), in order to be able to use winbind on the PDC, then I cannot use kerberos tickets anymore to connect to the PDC's shares, nor from the PDC nor from the workstations.

But if I don't join the PDC to the domain, I can join workstations to the domain, and still use kerberos tickets with "smbclient -k" on them, either these shares are on the PDC or on the workstation itself.

Is it a bug, or is it normal?

This is the [global] section of my smb.conf on the PDC:

        workgroup = CFS
        realm = CFS.ISST
        netbios name = sanmiguel
        server string = Servidor principal
        use kerberos keytab = yes
        use spnego = yes
        client ntlmv2 auth = yes
        username map = /etc/samba/usermap

        debug level = 0
        log file = /var/log/samba/%m.log
        max log size = 5000
        syslog = 0
        log level = 0
        utmp = Yes

        guest account = nobody
        map to guest = Never
        admin users = root addmachine @"Domain Admins"
        enable privileges = yes

        security = user
        encrypt passwords = yes
        os level = 255
        local master = yes
        domain master = yes
        preferred master = yes
        domain logons = yes

        keepalive = 20
        time server = yes
        preserve case = yes
        short preserve case = yes
        case sensitive = no
        null passwords = no

        bind interfaces only = yes
        interfaces = eth0, lo
        hosts allow = 10. 127.
        wins support = yes
        dns proxy = yes

        passdb backend = ldapsam:ldap://
        ldapsam:trusted = yes
        ldap admin dn = krb5PrincipalName=ldapmaster/admin@CFS.ISST,ou=KerberosPrincipals,dc=cfs,dc=isst
        ldap suffix = dc=cfs,dc=isst
        ldap group suffix = ou=Grupos
        ldap user suffix = ou=KerberosPrincipals
        ldap machine suffix = ou=Computadores
        ldap idmap suffix = ou=Idmap
        ldap ssl = On
        ldap delete dn = Yes

        idmap backend = ldap:ldap://
        idmap uid = 10000-15000
        idmap gid = 10000-15000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        client use spnego = yes
        wins server =

        unix password sync = yes
        passwd program = /usr/sbin/smbldap-passwd -u %u
        passwd chat = "Changing*for*\nNew password*" %n\n "*Retype new password*" %n\n"

        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add user script = /usr/sbin/smbldap-useradd -m -a "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

        dos charset = cp850
        unix charset = UTF8
        display charset = LOCALE
        restrict anonymous = 0

Here are the relevant logs for a succesful kerberos connect (i.e., without joining the domain) from the PDC itself:

[2008/10/04 12:44:33,  3] smbd/sesssetup.c:reply_spnego_negotiate(800)
  reply_spnego_negotiate: Got secblob of size 528
[2008/10/04 12:44:33,  1] libads/kerberos_verify.c:ads_secrets_verify_ticket(240)
  ads_secrets_verify_ticket: failed to fetch machine password
[2008/10/04 12:44:33,  3] libads/kerberos_verify.c:ads_keytab_verify_ticket(143)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded for principal cifs/sanmiguel.cfs.isst@CFS.ISST
[2008/10/04 12:44:33,  3] libads/kerberos_verify.c:ads_verify_ticket(500)
  ads_verify_ticket: did not retrieve auth data. continuing without PAC
[2008/10/04 12:44:33,  3] smbd/sesssetup.c:reply_spnego_kerberos(356)
  Ticket name is [root@CFS.ISST]
[2008/10/04 12:44:33,  3] smbd/sesssetup.c:reply_spnego_kerberos(430)
  Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE
[2008/10/04 12:44:33,  2] lib/smbldap.c:smbldap_open_connection(796)
  smbldap_open_connection: connection opened
[2008/10/04 12:44:33,  3] lib/smbldap.c:smbldap_connect_system(1007)
  ldap_connect_system: successful connection to the LDAP server

And, for last, here is the log of a failed connect attempt (i.e., once the PDC has joined the domain):

[2008/10/04 12:45:43,  3] smbd/sesssetup.c:reply_spnego_negotiate(800)
  reply_spnego_negotiate: Got secblob of size 527
[2008/10/04 12:45:43,  3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed
[2008/10/04 12:45:43,  3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
  ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals
[2008/10/04 12:45:43,  3] libads/kerberos_verify.c:ads_verify_ticket(458)
  ads_verify_ticket: krb5_rd_req with auth failed (Conseguido)
[2008/10/04 12:45:43,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/10/04 12:45:43,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2008/10/04 12:45:43,  3] smbd/process.c:smbd_process(2035)
  receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2008/10/04 12:45:43,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/10/04 12:45:43,  3] smbd/connection.c:yield_connection(31)
  Yielding connection to
[2008/10/04 12:45:43,  3] smbd/server.c:exit_server_common(949)
  Server exit (normal exit)

Thank you very much.
Comment 1 Juan Miguel Corral 2008-10-06 07:31:41 UTC
I think the problem is the following: It loks like when the machine has not joined the domain as a DC, then the requested encryption type is des-cbc-md5, which is supported by the Heimdal KDC. But when it has joined the domain, then it requests rc4-hmac, which is not supported.
But, why this difference?
Comment 2 Eduardo Sachs 2009-02-20 11:44:31 UTC
I have the same problem, anybody know what might be happening?

Thank you!
Comment 3 Juan Miguel Corral 2009-10-21 09:38:35 UTC
It has been SOLVED on 3.4.2. The only thing you need is setting the parameter 
"kerberos method = system keytab" on smb.conf.

It looks like samba versions 3.2 and 3.3 were trying to verify the 
ticket against secrets database, instead of using the keytab first, and 
found wrong data. But 3.4 allows you to restrict the verification to the 
system keytab, so it finds the correct key.

Thank you very much. Best regards,