[Samba] Failed to verify incoming ticket! When clients use netbios names only! - Samba

This is a discussion on [Samba] Failed to verify incoming ticket! When clients use netbios names only! - Samba ; Hi, I have set up our samba box in 'ADS' mode; the problem I have is clients connecting to the server can not do so by using its netbios name. Only when they use the IP address of the machine ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

  1. [Samba] Failed to verify incoming ticket! When clients use netbios names only!

    Hi,
    I have set up our samba box in 'ADS' mode; the problem I have is clients
    connecting to the server can not do so by using its netbios name. Only when
    they use the IP address of the machine are they able to be authenticated and
    browse the box.
    When clients connect via the netbios name this message will appear in my
    samba logs with the IP of the connecting client;

    "smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming
    ticket!"

    Additionally, If a client connects successfully via the IP of the samba
    server, the log file is named in the clients netbios name rather than their
    IP.
    eg machinenetbiosname.log will contain
    [2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642)
    netbiosnameofmachine (192.168.16.203) signed connect to service data
    initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329)

    Can some one tell me what's happening here?

    thor:/var/log/samba# cat /etc/samba/smb.conf
    [global]
    winbind use default domain = yes
    winbind separator = +
    client use spnego = yes
    use spnego = yes
    server signing = auto
    client signing = auto
    netbios name = THOR
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    workgroup = DOMAIN
    server string = Thor
    security = ads
    hosts allow = 192.168.16.
    load printers = no
    cups options = raw
    log file = /var/log/samba/%m.log
    max log size = 50
    password server = SERVER01
    encrypt passwords = yes
    realm = DOMAIN
    passdb backend = tdbsam
    local master = no
    domain master = no
    wins support = no
    wins server = 192.168.16.3
    dns proxy = no
    hostname lookups = yes
    name resolve order = lmhosts host wins dns bcast
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

    [data]
    comment =
    path = /data
    Valid Users = +DOMAIN+"domain users"
    writeable = yes
    browseable = yes

    [ftp]
    comment = FTP area
    path = /data/ftp
    Valid Users = +DOMAIN+"domain users"
    writeable = yes
    browseable = yes
    thor:/var/log/samba#

    wbinfo -u works!
    wbinfo -g works

    passwd: files winbind
    shadow: files winbind
    group: files winbind

    #hosts: db files nisplus nis dns
    hosts: files winbind

    # Example - obey only what nisplus tells us...
    #services: nisplus [NOTFOUND=return] files
    #networks: nisplus [NOTFOUND=return] files
    #protocols: nisplus [NOTFOUND=return] files
    #rpc: nisplus [NOTFOUND=return] files
    #ethers: nisplus [NOTFOUND=return] files
    #netmasks: nisplus [NOTFOUND=return] files

    bootparams: nisplus [NOTFOUND=return] files

    ethers: files
    netmasks: files
    networks: files
    protocols: files winbind
    rpc: files
    services: files winbind

    netgroup: files winbind

    publickey: nisplus

    automount: files winbind
    aliases: files nisplus

    cat /etc/resolv.conf

    search DOMAIN.NAME
    nameserver 192.168.16.3 (also the PDC)

    thor:/var/log/samba# cat /etc/hosts
    127.0.0.1 localhost.localdomain localhost
    192.168.16.4 thor.DOMAIN.NAME thor
    192.168.16.3 server01.DOMAIN.NAME server01

    thor:/var/log/samba# kinit administrator@
    DOMAIN.NAME
    administrator@
    DOMAIN.NAME
    's Password:
    kinit: NOTICE: ticket renewable lifetime is 1 week

    thor:/var/log/samba# cat /etc/krb5.conf
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = DOMAIN.NAME
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes
    krb4_get_tickets = false
    [realms]
    DOMAIN.NAME = {
    kdc = server01:88
    }

    [domain_realm]
    .server01 = DOMAIN.NAME
    server01 = DOMAIN.NAME

    [kdc]
    profile = /var/lib/heimdal-kdc/kdc.conf

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

    Hi

    we see the similar messages too.

    Gerald (Jerry) Carter wrote:
    > m.bland wrote:
    >
    > > thor:/var/log/samba# cat /etc/samba/smb.conf
    > > [global]

    >
    > > workgroup = DOMAIN
    > > realm = DOMAIN

    >
    > Are these really the same value ?

    do they have to?
    When I try to set them to the same value I get the following message
    when joining the domain.

    [root@rmvbs02 root]# net ads join -U Admin
    Admin's password:
    The workgroup in /etc/samba/smb.conf does not match the short
    domain name obtained from the server.
    Using the name [DOMNAME] from the server.
    You should set "workgroup = DOMNAME" in /etc/samba/smb.conf.
    Using short domain name -- DOMNAME
    Failed to set servicePrincipalNames. Please ensure that
    the DNS domain of this server matches the AD domain,
    Or rejoin with using Domain Admin credentials.
    Deleted account for 'RMVBS02' in realm 'REALM'
    Failed to join domain: Type or value exists


    But we have a DNS not matching the REALM.

    Could this lead to this problem?

    (the above join only works with net rpc join, even while User Admin has
    full rights on the domain)

    Greetings

    hansjörg

    >
    > ...
    >
    > > thor:/var/log/samba# cat /etc/krb5.conf
    > > [libdefaults]
    > > default_realm = DOMAIN.NAME

    >
    >
    >
    >
    >
    >
    > cheers, jerry


    --
    __________________________________________________ _______________

    Deutsches Zentrum fuer Luft- und Raumfahrt e.V.
    in der Helmholtz-Gemeinschaft

    Institut fuer Robotik und Mechatronik

    Dr. Hansjörg Maurer

    LAN- und Systemmanager

    Münchner Strasse 20
    82234 Wessling
    Germany

    Telefon: 08153/28-2431
    Telefax: 08153/28-1134

    E-Mail: Hansjoerg.Maurer@dlr.de
    Internet: http://www.robotic.dlr.de/

    __________________________________________________ ________________


    There are 10 types of people in this world,
    those who understand binary and those who don't.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

    Hi,

    the "Failed to join domain: Type or value exists" is caused, when the
    machine_name is equal to the fqdn.

    This is the case, e.g. if the /etc/hosts file contains only the short
    name. The server reports the error and "net" aborts although the join
    itself was successfull.

    There are serveral issues with the "hostname vs. domainname" thing under
    linux.
    E.g. the missing driver listings when using the fqdn accessing the samba
    server.
    I've added a getdomainname() call in the get_mydnsfullname() function in
    lib/util.c if the gethostname() call does not contain a ".".
    Then the comparison in is_myname() succeeds and the drivers are listed.

    But the manpage says, getdomainname() is *not* POSIX. So this all might
    end in a configuration issue of the hostname.

    Regards,

    ~ Martin


    Hansjörg Maurer schrieb:
    > Hi
    >
    > we see the similar messages too.
    >
    > Gerald (Jerry) Carter wrote:
    >> m.bland wrote:
    >>
    >>> thor:/var/log/samba# cat /etc/samba/smb.conf
    >>> [global]
    >>> workgroup = DOMAIN
    >>> realm = DOMAIN

    >> Are these really the same value ?

    > do they have to?
    > When I try to set them to the same value I get the following message
    > when joining the domain.
    >
    > [root@rmvbs02 root]# net ads join -U Admin
    > Admin's password:
    > The workgroup in /etc/samba/smb.conf does not match the short
    > domain name obtained from the server.
    > Using the name [DOMNAME] from the server.
    > You should set "workgroup = DOMNAME" in /etc/samba/smb.conf.
    > Using short domain name -- DOMNAME
    > Failed to set servicePrincipalNames. Please ensure that
    > the DNS domain of this server matches the AD domain,
    > Or rejoin with using Domain Admin credentials.
    > Deleted account for 'RMVBS02' in realm 'REALM'
    > Failed to join domain: Type or value exists
    >
    >
    > But we have a DNS not matching the REALM.
    >
    > Could this lead to this problem?
    >
    > (the above join only works with net rpc join, even while User Admin has
    > full rights on the domain)
    >
    > Greetings
    >
    > hansjörg
    >
    >> ...
    >>
    >>> thor:/var/log/samba# cat /etc/krb5.conf
    >>> [libdefaults]
    >>> default_realm = DOMAIN.NAME

    >>
    >>
    >>
    >>
    >>
    >> cheers, jerry

    >


    --
    Martin Zielinski mz@seh.de
    Software Development
    SEH Computertechnik GmbH www.seh.de

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread