Home Forums OS X Server and Client Discussion Active Directory AD Auth MAC Server

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • February 15, 2007 at 3:38 pm #368328
    ebroo
    Participant

    Hi all,

    Lots of posts on this, but i’ll give it a shot –

    We are trying to get smb shares from a MAC OS X (10.4) server to auth via AD. We can get it to work, it just won’t come back after reboot.
    I can successfully bind to the AD domain – and all AFP works fine, but any SMB attempt results in this in the Samba logs:

    [2007/02/15 10:20:46, 3] /SourceCache/samba/samba-100.5/samba/source/libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
    ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed
    [2007/02/15 10:20:46, 3] /SourceCache/samba/samba-100.5/samba/source/libads/kerberos_verify.c:ads_verify_ticket(313)
    ads_verify_ticket: krb5_rd_req with auth failed (Unknown Error Code: 0)
    [2007/02/15 10:20:46, 1] /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(184)
    Failed to verify incoming ticket!
    [2007/02/15 10:20:46, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/error.c:error_packet(105)
    error string = No such file or directory
    [2007/02/15 10:20:46, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/error.c:error_packet(129)
    error packet at /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c(185) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

    The first part of this I want to lock down is this error – seen on samba startup

    [2007/02/15 10:19:26, 5] /SourceCache/samba/samba-100.5/samba/source/libads/ldap.c:ads_try_connect(85)
    ads_try_connect: trying ldap server ‘172.17.17.110’ port 389
    [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/ldap.c:ads_connect(247)
    Connected to LDAP server 172.17.17.110
    [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/ldap.c:ads_server_info(2432)
    got ldap server name [email protected], using bind path: dc=CORP,dc=MYDOMAIN,dc=COM
    [2007/02/15 10:19:26, 4] /SourceCache/samba/samba-100.5/samba/source/libads/ldap.c:ads_server_info(2438)
    time offset is 5 seconds
    [2007/02/15 10:19:26, 4] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_bind(447)
    Found SASL mechanism GSS-SPNEGO
    [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(204)
    ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
    [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(204)
    ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
    [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(204)
    ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
    [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(204)
    ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
    [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(211)
    ads_sasl_spnego_bind: got server principal name [email protected]
    [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libsmb/clikrb5.c:ads_krb5_mk_req(392)
    ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
    [2007/02/15 10:19:27, 0] /SourceCache/samba/samba-100.5/samba/source/libads/kerberos.c:ads_kinit_password(146)
    [b]kerberos_kinit_password host/[email protected] failed: Decrypt integrity check failed[/b]
    [2007/02/15 10:19:27, 3] /SourceCache/samba/samba-100.5/samba/source/printing/nt_printing.c:check_published_printers(2857)
    ads_connect failed: Decrypt integrity check failed
    [2007/02/15 10:19:27, 0] /SourceCache/samba/samba-100.5/samba/source/printing/nt_printing.c:nt_printing_init(386)
    nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
    [2007/02/15 10:19:27, 5] /SourceCache/samba/samba-100.5/samba/source/smbd/connection.c:claim_connection(170)
    claiming 0
    [2007/02/15 10:19:27, 3] /SourceCache/samba/samba-100.5/samba/source/printing/printing.c:start_background_queue(1224)
    start_background_queue: Starting background LPQ thread

    net ads status and wbinfo -g and -u work great, but samba denies all logins from AD with the Failed to verify incoming ticket

    Any thoughts appreciated.

    EB
    ebrooathealthydirectionsdotcom

    February 15, 2007 at 6:05 pm #368331
    jeg98
    Participant

    I’m no expert by any means, but from some of the digging I’ve done related to my own issues (the result is similar to yours, but the errors are different), have you run any kinit commands to see what is in your kerberos ticket file (should be in \Library\Preferences\edu.mit.kerberos)?

    I have trouble w/ an Xserve where Windows users want to connect to its shares, and sometimes it doesn’t work. Logs indicate that the Xserve is not successfully authenticating to the domain server, and thus can’t pass the AD authentication through to it for access. But Macs and AFP is great. I think Macs w/ Kerberos is not right, though. And/or Macs via SMB to the Xserve.

    Fun, fun, fun! Good luck.

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.