[Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain

Eduardo Sachs edu.sachs at terra.com.br
Sat Mar 14 04:12:01 UTC 2009

Steve Langasek escreveu:
> Your original bug report doesn't mention problems when joining a member
> server to the domain with 'net join', it talks about problems when joining
> the PDC to the domain with 'net join'.  In fact, you said that your member
> servers that were joined did not have problems.  Can you explain again what
> problem you're having with the member servers?

Of course! The problem is a little confusing, so perhaps I wrong in some

I have machine M1 hosting Samba PDC and Heimdal Kerberos with backend
OpenLDAP for Heimdal and Samba.
I have machine M2 hosting CIFS shares (Samba Member) and it joins into
the domain hosted by SAMBA PDC M1.
I have machine M3 used as CIFS client.

On M1, I have added users and cifs/host service principals for M2.
Also added service principal in keytab file on M2 of M2.

When I create cifs/host service principals on M1 for M2, and
create keytab file on M2 of M2, the M3 access M2 through the Kerberos
authentication, no have problems.

The problem begins when M2 join in domain Samba PDC M1,
with the command 'net join'.

Is that clear to you now?

Here are the relevant logs for a succesful authentication kerberos 
(i.e., without joining the domain), M3 accessing M2 through the Kerberos

[2009/03/14 00:40:53,  1]
  ads_secrets_verify_ticket: failed to fetch machine password
[2009/03/14 00:40:53,  3]
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab
succeeded for principal cifs/M2 at CFS.ISST
[2009/03/14 00:40:53,  3] libads/kerberos_verify.c:ads_verify_ticket(500)
  ads_verify_ticket: did not retrieve auth data. continuing without PAC
[2009/03/14 00:40:53,  3] smbd/sesssetup.c:reply_spnego_kerberos(356)
  Ticket name is [sachs at CFS.ISST]
[2009/03/14 00:40:53,  3] smbd/sesssetup.c:reply_spnego_kerberos(430)
  Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE
[2009/03/14 00:40:53,  5] lib/username.c:Get_Pwnam_alloc(133)
  Finding user CFS.ISST+sachs

And, for last, here is the log of a failed of authentication Kerberos
(i.e., once the M2 has joined the domain Samba PDC M1), M3 accessing M2
through the Kerberos authentication:

[2009/03/14 00:49:21,  3]
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2009/03/14 00:49:21,  3]
  ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab
[2009/03/14 00:49:21,  3] libads/kerberos_verify.c:ads_verify_ticket(458)
  ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
[2009/03/14 00:49:21,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2009/03/14 00:49:21,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)

>> In the page have setup of Samba PDC with authentication Kerberos, 
>> for Debian Etch, stable setup: http://eduardosachs.org/mediawiki/
> Ok - I guess the description of the problem is here:
> http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Lenny_(em_construção_-_NÃO_USAR_-_COM_BUG)#.2A.2A.2A_ATEN.C3.87.C3.83O.21.21.21_AVISO_IMPORTANTE.21.21.21_.2A.2A.2A
> I'll try to reproduce the bug based on this description.

OK! I have automatic script instalation of Samba PDC with Heimdal
Kerberos for Debian Lenny, and script for configuration of Samba Member,
do you want this scripts?

> Thanks,

Thank you very much!!

More information about the Pkg-samba-maint mailing list