CIFS Server A.03.01.05 - Kerberos problem ? (563 Views)
Reply
Regular Advisor
enrico.nic
Posts: 134
Registered: ‎02-02-1997
Message 1 of 4 (563 Views)

CIFS Server A.03.01.05 - Kerberos problem ?

I have recently upgraded from 11.23 to 11.31 on our HP 9000 rp3410 system.

Now I was setting up the CIFS Server, version A.03.01.05 (on the old system I was at A.02.04.06 version).

Our CIFS server works as a domain member server of a Windows 2003 R2 domain.

 

Now no user can connect to any Samba share of the server: the problem I encounter has something to do with Kerberos validation, since the following errors are appearing from all the machines that are trying to connect to the server.

 

[2012/10/09 13:27:03,  1] smbd/sesssetup.c:341(reply_spnego_kerberos)

  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

[2012/10/09 13:27:15,  0] lib/util_sock.c:536(read_fd_with_timeout)

[2012/10/09 13:27:15,  0] lib/util_sock.c:1509(get_peer_addr_internal)

  getpeername failed. Error was Invalid argument

  read_fd_with_timeout: client 0.0.0.0 read error = Invalid argument.

[2012/10/09 13:27:33,  2] smbd/sesssetup.c:1359(setup_new_vc_session)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old

resources.

[2012/10/09 13:27:33,  1] smbd/sesssetup.c:341(reply_spnego_kerberos)

  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

[2012/10/09 13:27:33,  2] smbd/sesssetup.c:1359(setup_new_vc_session)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old

resources.

[2012/10/09 13:27:33,  1] smbd/sesssetup.c:341(reply_spnego_kerberos)

  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

 

I tried the following actions:

 

removed all files ending in .tdb from /var/opt/samba/locks

removed secrets.tdb file from /var/opt/samba/private

removed /etc/krb5.keytab

 

substituted the "use kerberos keytab = yes" option in /etc/opt/samba/smb.conf with "kerberos method = system keytab"

 

# net ads join -U myusername

------> works. Domain joined. The /etc/krb5.keytab file has been generated.

# net ads keytab add cifs –U myusername (this is a suggestion from the 3.01.04 Administrator's guide)

------> works

# net ads keytab add <hostname> -U myusername (this is a suggestion from the 3.01.04 Administrator's guide)

------> works

 

# startsmb -w

 

Following this setup, nobody can connect due to the NT_STATUS_LOGON_FAILURE error. But the command "kinit -U myusername" works. I suspect it has something to do with the machine account on the W2003 server.

 

I don't know what to try next ... thank you in advance

 

Enrico

 

Please use plain text.
Valued Contributor
Ralf Seefeldt
Posts: 166
Registered: ‎04-02-2001
Message 2 of 4 (558 Views)

Re: CIFS Server A.03.01.05 - Kerberos problem ?

Hi Enrico,

 

what ar the WINDOWS versions of all computres, you are connecting with? ALl WIN 2003?

Have you configured CIFS to use NETBIOS over TCP?

 

Unfortunatedly, I can not give you mor ideas. My CIFS experience is tor that big.

 

Bye

Ralf

Please use plain text.
Advisor
Sachin Rajput
Posts: 22
Registered: ‎10-26-2007
Message 3 of 4 (163 Views)

Re: CIFS Server A.03.01.05 - Kerberos problem ?

IN smb.conf if you have the line of

 

interface xxxxxxxxx

 

remove it and restart smb servieces .

 

Issue should be resolved .



Sachin Rajput
================
Please use plain text.
Advisor
Daniel Arredondo
Posts: 26
Registered: ‎03-16-2004
Message 4 of 4 (39 Views)

Re: CIFS Server A.03.01.05 - Kerberos problem ?

Just did a os update and patch update from hp's depot from March 2014 - Current

 

Error

[2014/08/10 01:47:29,  0] lib/util_sock.c:1509(get_peer_addr_internal)
  getpeername failed. Error was Invalid argument
  read_fd_with_timeout: client 0.0.0.0 read error = Invalid argument.

 

 

 

has this issue been resolved

 

by removing   --> interfaces from the config file

 

 

 hostname lookups = yes
    workgroup = WORKGROUP
    netbios name = hq-enigma-epc-smb-1
    security = user
    interfaces = 10.0.118.232/10.0.118.0 <------
    bind interfaces only = yes
    server string = Samba Server
    log file = /var/opt/samba/enigma-epc/log.%m
    lock directory = /var/opt/samba/enigma-epc/locks
    pid directory = /var/opt/samba/enigma-epc/locks
    smbpasswd file = /var/opt/samba/enigma-epc/private/smbpasswd
    max log size = 1000

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation