Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain

Wed, 21 Oct 2009 04:45:09 -0700 

Finally SOLVED!
It works with 3.4.2. The only thing you need is setting the parameter "kerberos method = system keytab" on smb.conf. 


It looks like samba versions 3.2 and 3.3 were trying to verify the 
ticket against secrets database, instead of using the keytab first, and 
found wrong data. But 3.4 allows you to restrict the verification to the 
system keytab, so it finds the correct key.



So now it is possible to make a SSO samba server on lenny, following 
Eduardo's howto. Great!


Thank you very much. Best regards,
Juan.

[2009/10/21 12:44:32,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
  wct=12 flg2=0xc801
[2009/10/21 12:44:32,  3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2009/10/21 12:44:32,  3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2009/10/21 12:44:32, 10] smbd/password.c:172(register_initial_vuid)
  register_initial_vuid: allocated vuid = 100
[2009/10/21 12:44:32, 10] smbd/sesssetup.c:1106(check_spnego_blob_complete)
  check_spnego_blob_complete: needed_len = 604, pblob->length = 604
[2009/10/21 12:44:32,  5] smbd/sesssetup.c:735(parse_spnego_mechanisms)
  parse_spnego_mechanisms: Got OID 1.2.840.48018.1.2.2
[2009/10/21 12:44:32,  5] smbd/sesssetup.c:735(parse_spnego_mechanisms)
  parse_spnego_mechanisms: Got OID 1.2.840.113554.1.2.2
[2009/10/21 12:44:32,  5] smbd/sesssetup.c:735(parse_spnego_mechanisms)
  parse_spnego_mechanisms: Got OID 1.3.6.1.4.1.311.2.2.10
[2009/10/21 12:44:32,  3] smbd/sesssetup.c:786(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 538
[2009/10/21 12:44:32, 10] lib/util.c:2626(name_to_fqdn)
  name_to_fqdn: lookup for SANATANASIO -> sanatanasio.cfs.isst.
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/[email protected]) failed: Wrong principal in request
[2009/10/21 12:44:32, 10] libsmb/clikrb5.c:1087(get_key_from_keytab)
  get_key_from_keytab: will look for kvno 2, enctype 23 and name: cifs/[email protected]
[2009/10/21 12:44:32,  3] libads/kerberos_verify.c:238(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded for principal cifs/[email protected]
[2009/10/21 12:44:32, 10] libsmb/clikrb5.c:897(get_krb5_smb_session_key)
  Got KRB5 session key of length 16























					Reply via email to