List, Long and confusing message follows... I'm facing a frustrating problem. XP clients can use resoures on the samba server by IP-address, but not by name. So, "net view \\servername" gives "access denied" but "net view \\ipaddress" gives list of shared resources.
Samba server (3.2.7 sernet rpm) is a member server in W2003 domain. I emphasise that with version 3.2.2 or 3.2.3 (around Oct..Nov 2007) and exactly same configuration everything did work perfectly. After that there has been a couple months worth of win hotfixes and upgrade to 3.2.7. I did read the change texts, but didn't find a clue there. Below is level 5 log when client does "net view": [2009/01/28 11:03:39, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/01/28 11:03:39, 3] libads/kerberos_verify.c:ads_verify_ticket(458) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2009/01/28 11:03:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! I foud a entry in bugzilla (https://bugzilla.samba.org/show_bug.cgi?id=1010). The symptoms are the same but I do not have "permitted enctypes" defined in the krb5.conf. Like in the bugzilla entry, command line authentication works, but somehow samba just cant use it. # wbinfo -a userid%password plaintext password authentication succeeded challenge/response password authentication succeeded Samba does not try to communicate with the domain controllers when client does "net view". Here's a capture of what happens (192.168.2.6 is the samba server and .128 is the xp client): Capturing on eth0 0.000000 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [SYN, ACK] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 WS=7 0.000792 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [ACK] Seq=1 Ack=137 Win=54 Len=0 0.003626 192.168.2.6 -> 192.168.2.128 SMB Negotiate Protocol Response 0.004591 192.168.2.6 -> 192.168.2.128 TCP microsoft-ds > 15644 [ACK] Seq=197 Ack=1729 Win=100 Len=0 0.006558 192.168.2.6 -> 192.168.2.128 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE Samba should have asked authentication from the AD DC, right? So I think that the tickets are cached somewhere. But where? And if they are, how to purge the tickets? As root only ticket klist is the one which was used when the system was setup. Deleting that ticket and renewing does not help. ------------------------------ smb.conf: [global] log level = 5 server string = IT-testi (Samba 3.2.7) workgroup = WG-NAME load printers = no realm = ORG.LOCAL security = ads winbind use default domain = yes winbind enum users = yes winbind enum groups = yes idmap domains = WG-NAME idmap config WG-NAME:default = yes idmap config WG-NAME:backend = rid idmap config WG-NAME:range = 100-200000 ifmap config WG-NAME:base_rid = 1 allow trusted domains = no winbind refresh tickets = true inherit permissions = yes ------------------------------ krb5.conf kerberos works via DNS. This is based on an article (which I can't locate at the moment) in samba wiki. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ORG.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 76h forwardable = yes [realms] [domain_realm] [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Any help is appreciated. Harri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba