On Fri Jul 30 17:10:45 2004 nuno.silva at novabase.pt (Nuno Silva) wrote: > > I'm trying to get Samba 3.0.2 working against a Windows 2003 Active > > Directory. I can join the Linux box (RedHat Advanced Server) to the > > domain using "net ads join" and it appears in the Windows machine's > > Users and Computers snap in but when trying to map a drive from > > Windows you just get a continuous password dialog bog and on the > > Linux box Samba produces the following error in the Samba log: > > > > Smbd/sesssetup.c:reply_spnego_kerberos(173) > > Failed to verify incoming ticket! > > This is probably a problem with your kerberos version.
I have been having the very same problem and managed to solve this. I'm posting an answer to this question so that others can find this if needed. (I'm not subscribed to the list, so please CC follow-ups if needed). The problem is, as you said, with the Kerberos version, I first used MIT's implementation of Kerberos. Samba clients could correctly access my Samba server (and I could see the KRB requests going to and from the Win2k AD server) but as soon as I tried and did the same with a Windows-based client, nothing worked, the Windows box kept asking for a valid user/pass whereas the given ones were correct, and I got the same "failed tickets" entries in my smbd logs. I solved the problem compiling samba (3.0.7) against Heimdal Kerberos insted of MIT. As far as I understand the problem, this is due to MIT not supporting the kind of encryption the Windows client is using to get the tickets (this explains the problem not occuring with Samba clients). Here is my smb.conf, in case it's needed: ----- password server = ADVSERV security = ADS realm = EXAMPLE.COM encrypt passwords = yes client use spnego = no username map = /usr/local/samba-ads/lib/username_map workgroup=EXAMPLE auth methods = winbind winbind enum users = yes winbind enum groups = yes idmap uid = 10000-20000 idmap gid = 10000-20000 [tmp] path = /tmp browsable = yes writeable = yes preserve case = yes [homes] comment = Home Directories valid users = %S force user = %S writable = yes guest ok = no browseable = no ----- And (roughly) the process I followed to register the machine was: # kinit [EMAIL PROTECTED] [EMAIL PROTECTED]'s Password: kinit: NOTICE: ticket renewable lifetime is 1 week # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Cache version: 4 Server: krbtgt/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 End time: Oct 29 00:38:00 2004 Renew till: Nov 4 13:38:00 2004 Ticket flags: renewable, initial, pre-authenticated Addresses: IPv4:172.20.0.133 # net ads join Using short domain name -- EXAMPLE Joined 'FOO' to realm 'EXAMPLE.COM' # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED] Cache version: 4 Server: krbtgt/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 End time: Oct 29 00:38:00 2004 Renew till: Nov 4 13:38:00 2004 Ticket flags: renewable, initial, pre-authenticated Addresses: IPv4:172.20.0.133 Server: [EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 Start time: Oct 28 14:40:10 2004 End time: Oct 29 00:38:00 2004 Ticket flags: pre-authenticated, ok-as-delegate Addresses: IPv4:172.20.0.133 Server: kadmin/[EMAIL PROTECTED] Ticket etype: arcfour-hmac-md5 Auth time: Oct 28 14:38:00 2004 Start time: Oct 28 14:40:10 2004 End time: Oct 29 00:38:00 2004 Ticket flags: pre-authenticated Addresses: IPv4:172.20.0.133 At this point, I could have Windows-using users connect to the Samba server, and mapped to Unix users thanks to the username map. -- Olivier Mehani <[EMAIL PROTECTED]> Free&ALter Soft/Linbox - Paris http://www.linbox.com
pgpbGqpxs4KQA.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba