Re: CIFS Server A.03.01.05 - Kerberos problem ? (400 Views)
Reply
Regular Advisor
enrico.nic
Posts: 134
Registered: ‎02-02-1997
Message 1 of 4 (800 Views)

CIFS Server A.03.01.05 - Kerberos problem ?

I have recently upgraded from 11.23 to 11.31 on our HP 9000 rp3410 system.

Now I was setting up the CIFS Server, version A.03.01.05 (on the old system I was at A.02.04.06 version).

Our CIFS server works as a domain member server of a Windows 2003 R2 domain.

 

Now no user can connect to any Samba share of the server: the problem I encounter has something to do with Kerberos validation, since the following errors are appearing from all the machines that are trying to connect to the server.

 

[2012/10/09 13:27:03,  1] smbd/sesssetup.c:341(reply_spnego_kerberos)

  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

[2012/10/09 13:27:15,  0] lib/util_sock.c:536(read_fd_with_timeout)

[2012/10/09 13:27:15,  0] lib/util_sock.c:1509(get_peer_addr_internal)

  getpeername failed. Error was Invalid argument

  read_fd_with_timeout: client 0.0.0.0 read error = Invalid argument.

[2012/10/09 13:27:33,  2] smbd/sesssetup.c:1359(setup_new_vc_session)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old

resources.

[2012/10/09 13:27:33,  1] smbd/sesssetup.c:341(reply_spnego_kerberos)

  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

[2012/10/09 13:27:33,  2] smbd/sesssetup.c:1359(setup_new_vc_session)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old

resources.

[2012/10/09 13:27:33,  1] smbd/sesssetup.c:341(reply_spnego_kerberos)

  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

 

I tried the following actions:

 

removed all files ending in .tdb from /var/opt/samba/locks

removed secrets.tdb file from /var/opt/samba/private

removed /etc/krb5.keytab

 

substituted the "use kerberos keytab = yes" option in /etc/opt/samba/smb.conf with "kerberos method = system keytab"

 

# net ads join -U myusername

------> works. Domain joined. The /etc/krb5.keytab file has been generated.

# net ads keytab add cifs –U myusername (this is a suggestion from the 3.01.04 Administrator's guide)

------> works

# net ads keytab add <hostname> -U myusername (this is a suggestion from the 3.01.04 Administrator's guide)

------> works

 

# startsmb -w

 

Following this setup, nobody can connect due to the NT_STATUS_LOGON_FAILURE error. But the command "kinit -U myusername" works. I suspect it has something to do with the machine account on the W2003 server.

 

I don't know what to try next ... thank you in advance

 

Enrico

 

Valued Contributor
Ralf Seefeldt
Posts: 168
Registered: ‎04-02-2001
Message 2 of 4 (795 Views)

Re: CIFS Server A.03.01.05 - Kerberos problem ?

Hi Enrico,

 

what ar the WINDOWS versions of all computres, you are connecting with? ALl WIN 2003?

Have you configured CIFS to use NETBIOS over TCP?

 

Unfortunatedly, I can not give you mor ideas. My CIFS experience is tor that big.

 

Bye

Ralf

Advisor
Sachin Rajput
Posts: 22
Registered: ‎10-26-2007
Message 3 of 4 (400 Views)

Re: CIFS Server A.03.01.05 - Kerberos problem ?

IN smb.conf if you have the line of

 

interface xxxxxxxxx

 

remove it and restart smb servieces .

 

Issue should be resolved .



Sachin Rajput
================
Advisor
Daniel Arredondo
Posts: 29
Registered: ‎03-16-2004
Message 4 of 4 (276 Views)

Re: CIFS Server A.03.01.05 - Kerberos problem ?

Just did a os update and patch update from hp's depot from March 2014 - Current

 

Error

[2014/08/10 01:47:29,  0] lib/util_sock.c:1509(get_peer_addr_internal)
  getpeername failed. Error was Invalid argument
  read_fd_with_timeout: client 0.0.0.0 read error = Invalid argument.

 

 

 

has this issue been resolved

 

by removing   --> interfaces from the config file

 

 

 hostname lookups = yes
    workgroup = WORKGROUP
    netbios name = hq-enigma-epc-smb-1
    security = user
    interfaces = 10.0.118.232/10.0.118.0 <------
    bind interfaces only = yes
    server string = Samba Server
    log file = /var/opt/samba/enigma-epc/log.%m
    lock directory = /var/opt/samba/enigma-epc/locks
    pid directory = /var/opt/samba/enigma-epc/locks
    smbpasswd file = /var/opt/samba/enigma-epc/private/smbpasswd
    max log size = 1000

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.