From: Robert Freeman-Day on
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/11/2010 01:39 AM, Nick Couchman wrote:
> I'm running Windows Server 2008 and trying to connect to Samba 3.0.37 on Opensolaris. The Samba system is a member of a Windows Server 2008-based Active Directory domain - it was able to join the domain just fine - and Windows XP, Windows 2000, Windows Vista, and Windows 7 can connect, but Windows Server 2008 SP2 cannot connect. The log file is posted below - I'm guessing the key is the message about krb5_rd_req with auth failed (Bad encryption type), but none of the solutions out there that I've looked at seem to apply - it doesn't seem to be the same bug as was in Windows Server 2003, and I'm not sure what kerberos keytab has to do with remote connections to the machine. Any hints would be greatly appreciate.
>
> Thanks,
> Nick
>
> [2010/08/10 20:05:22, 5] smbd/uid.c:(338)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(505)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(505)
> Requested protocol [LANMAN1.0]
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(505)
> Requested protocol [Windows for Workgroups 3.1a]
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(505)
> Requested protocol [LM1.2X002]
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(505)
> Requested protocol [LANMAN2.1]
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(505)
> Requested protocol [NT LM 0.12]
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(505)
> Requested protocol [SMB 2.002]
> [2010/08/10 20:05:22, 5] smbd/connection.c:(182)
> claiming 0
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(364)
> using SPNEGO
> [2010/08/10 20:05:22, 3] smbd/negprot.c:(606)
> Selected protocol NT LM 0.12
> [2010/08/10 20:05:22, 5] smbd/negprot.c:(612)
> negprot index=5
> [2010/08/10 20:05:22, 5] lib/util.c:(484)
> [2010/08/10 20:05:22, 5] lib/util.c:(494)
> size=173
> smb_com=0x72
> smb_rcls=0
> smb_reh=0
> smb_err=0
> smb_flg=136
> smb_flg2=51201
> smb_tid=65535
> smb_pid=65279
> smb_uid=0
> smb_mid=0
> smt_wct=17
> smb_vwv[ 0]= 5 (0x5)
> smb_vwv[ 1]=12807 (0x3207)
> smb_vwv[ 2]= 256 (0x100)
> smb_vwv[ 3]= 1024 (0x400)
> smb_vwv[ 4]= 65 (0x41)
> smb_vwv[ 5]= 0 (0x0)
> smb_vwv[ 6]= 256 (0x100)
> smb_vwv[ 7]=24832 (0x6100)
> smb_vwv[ 8]= 82 (0x52)
> smb_vwv[ 9]=64512 (0xFC00)
> smb_vwv[10]= 243 (0xF3)
> smb_vwv[11]= 128 (0x80)
> smb_vwv[12]=39069 (0x989D)
> smb_vwv[13]=63911 (0xF9A7)
> smb_vwv[14]=52024 (0xCB38)
> smb_vwv[15]=26625 (0x6801)
> smb_vwv[16]= 1 (0x1)
> smb_bcc=104
> [2010/08/10 20:05:22, 3] smbd/process.c:(1083)
> Transaction 1 of length 1640
> [2010/08/10 20:05:22, 5] lib/util.c:(484)
> [2010/08/10 20:05:22, 5] lib/util.c:(494)
> size=1636
> smb_com=0x73
> smb_rcls=0
> smb_reh=0
> smb_err=0
> smb_flg=24
> smb_flg2=51207
> smb_tid=65535
> smb_pid=65279
> smb_uid=0
> smb_mid=64
> smt_wct=12
> smb_vwv[ 0]= 255 (0xFF)
> smb_vwv[ 1]= 0 (0x0)
> smb_vwv[ 2]=16644 (0x4104)
> smb_vwv[ 3]= 50 (0x32)
> smb_vwv[ 4]= 0 (0x0)
> smb_vwv[ 5]= 0 (0x0)
> smb_vwv[ 6]= 0 (0x0)
> smb_vwv[ 7]= 1573 (0x625)
> smb_vwv[ 8]= 0 (0x0)
> smb_vwv[ 9]= 0 (0x0)
> smb_vwv[10]= 212 (0xD4)
> smb_vwv[11]=40960 (0xA000)
> smb_bcc=1577
> [2010/08/10 20:05:22, 3] smbd/process.c:(932)
> switch message SMBsesssetupX (pid 21089) conn 0x0
> [2010/08/10 20:05:22, 3] smbd/sec_ctx.c:(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/08/10 20:05:22, 5] auth/auth_util.c:(448)
> NT user token: (NULL)
> [2010/08/10 20:05:22, 5] auth/auth_util.c:(474)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2010/08/10 20:05:22, 5] smbd/uid.c:(338)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2010/08/10 20:05:22, 3] smbd/sesssetup.c:(1258)
> wct=12 flg2=0xc807
> [2010/08/10 20:05:22, 2] smbd/sesssetup.c:(1214)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2010/08/10 20:05:22, 3] smbd/sesssetup.c:(1040)
> Doing spnego session setup
> [2010/08/10 20:05:22, 3] smbd/sesssetup.c:(1071)
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2010/08/10 20:05:22, 5] smbd/sesssetup.c:(669)
> parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
> [2010/08/10 20:05:22, 5] smbd/sesssetup.c:(669)
> parse_spnego_mechanisms: Got OID 1 2 840 113554 1 2 2
> [2010/08/10 20:05:22, 5] smbd/sesssetup.c:(669)
> parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
> [2010/08/10 20:05:22, 3] smbd/sesssetup.c:(699)
> reply_spnego_negotiate: Got secblob of size 1507
> [2010/08/10 20:05:22, 3] libads/kerberos_verify.c:(427)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2010/08/10 20:05:22, 1] smbd/sesssetup.c:(316)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2010/08/10 20:05:22, 3] smbd/error.c:(106)
> error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
> [2010/08/10 20:05:22, 5] lib/util.c:(484)
>
>
> --------
> This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.

Nick,

I would suggest looking at your available encryption types available to
Solaris. We ran into this before and this bug supplied a work around
that fixed us.

http://bugs.opensolaris.org/bugdatabase/printableBug.do?bug_id=6534506

If you want to find out the encryption levels available to your system,
you can issue:

# cryptoadm list

Good luck!
- --
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxinlYACgkQup357T5MfTatFACgpRPbZ4GB+UBMO2wULb7JIpHz
3E8An3PM6bdxwMHKOOW7KsYoKnd3kpuh
=heGn
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Nick Couchman on

>
> Nick,
>
> I would suggest looking at your available encryption types available to
> Solaris. We ran into this before and this bug supplied a work around
> that fixed us.
>
> http://bugs.opensolaris.org/bugdatabase/printableBug.do?bug_id=6534506
>
> If you want to find out the encryption levels available to your system,
> you can issue:
>
> # cryptoadm list
>

Okay, so I can do this, but the "extra" file is not present on OpenSolaris, and the only other three pkcs libraries that are present are in use on the system. Also, I'm able to successfully use kinit to get a kerberos ticket from the command line on the Solaris system, but Samba still fails.

Thanks for the lead - I'll continue to track it down!

-Nick



--------
This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba