kerberos5 unable to authenticate

Posted by wolfgangsz on Server Fault See other posts from Server Fault or by wolfgangsz
Published on 2009-09-14T10:13:43Z Indexed on 2010/03/19 17:21 UTC
Read the original article Hit count: 371

Filed under:

kerberos

|

samba

|

winbind

We have a Debian file server, configured to serve up samba shares, using winbind and kerberos. This is configured to authenticate against a Windows2003 DC.

All worked fine until recently when I did a maintenance update on all packages. Since then, all attempts to connect to any of the shares (and also to just log into the box) fail. The logs contain this message, which seems to be at the root of the evil:

[2009/09/14 12:04:29, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(685)
  Got KRB5 session key of length 16
[2009/09/14 12:04:29, 10] libsmb/clikrb5.c:unwrap_pac(280)
  authorization data is not a Windows PAC (type: 141)
[2009/09/14 12:04:29, 3] libads/kerberos_verify.c:ads_verify_ticket(430)
  ads_verify_ticket: did not retrieve auth data. continuing without PAC

From there on it fails to find the user account on the DC, subsequently remaps the user to user nobody and then (rightly) refuses to grant access to the share.

However, the following works just fine:

wbinfo -a user%password

I was wondering whether anybody has had this problem and could provide some insight. I would be happy to provide neutralised config files.

© Server Fault or respective owner

Related posts about kerberos

NFS (with Kerberos) mount failing due to "Server not found in Kerberos database" error

as seen on Server Fault - Search for 'Server Fault'
When running: `sudo mount -t nfs4 -o sec=krb5 sol.domain.com:/ /mnt` I get this error on the client: mount.nfs4: access denied by server while mounting sol.domain.com:/ And on the server syslogs UNKNOWN_SERVER: authtime 0, nfs/[email protected] for nfs/ip-#-#-#-#.ec2.internal@SOL… >>> More
Enabling Kerberos Authentication for Reporting Services

as seen on SQL Blogcasts - Search for 'SQL Blogcasts'
Recently, I’ve helped several customers with Kerberos authentication problems with Reporting Services and Analysis Services, so I’ve decided to write this blog post and pull together some useful resources in one place (there are 2 whitepapers in particular that I found invaluable configuring Kerberos… >>> More
Relative security of SAML vs Kerberos

as seen on Server Fault - Search for 'Server Fault'
Does anyone have any info/links on the relative security of SAML vs Kerberos. I believe I grasp the differences between the two, and what they mean for my particular application, but to decided between the two, knowing which is more secure, if either, would be a valuable bit of info. >>> More
Confusion about Kerberos, delegation and SPNs.

as seen on Server Fault - Search for 'Server Fault'
I already posted this question on SO, but the nature of it is between programming and server configuration, so I'll re-post it here as well. I'm trying to write a proof-of-concept application that performs Kerberos delegation. I've written all the code, and it seems to working (I'm authenticating… >>> More
Kerberos & signle-sign-on for website

as seen on Server Fault - Search for 'Server Fault'
I have a website running on a Linux computer using Apache. I've employed mod_auth_kerb for single-sign-on Kerberos authentication against a Windows Active Directory server. In order for Kerberos to work correctly, I've created a service account in Active Directory called dummy. I've generated a… >>> More

Related posts about samba

Unable to connect to Samba printer

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a headless Ubuntu 12.04 server for files and printers. It shares files via Samba just fine. However, the HP PSC-750xi connected to the server via USB is not accessible from my Ubuntu 12.04 laptop. I can browse for it in the Printing control panel, but any attempt to authenticate my ID to the… >>> More
Samba folder is gone

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I seem to have some issues sharing folders from my Ubuntu 12.04 machine to a Win7 machine. After playing around with the settings, I decided to revert to Samba's original setting by reinstalling it: sudo apt-get purge samba sudo rm -rf /etc/samba/ /etc/default/samba sudo apt-get install samba just… >>> More
Samba on OS X 10.6.4

as seen on Server Fault - Search for 'Server Fault'
I just updated from 10.6.3 to 10.6.4, and now my Samba shares won't mount and won't allow access into the directories. In the logs, I've started to get the following errors, any idea what might have gone wrong? 2010/06/25 15:54:27, 0, pid=13848] /SourceCache/samba/samba-235.4/samba/source/passdb/secrets… >>> More
OpenLDAP and Samba, can't log onto Samba share from Windows

as seen on Server Fault - Search for 'Server Fault'
The former jackass IT-guy that I'm taking over for had a Samba share setup on a Fedora server that uses our OpenLDAP server to authenticate users who want to log in from Windows. We recently added a new employee and I jumped through the LDAP hoops to add them to the system. However, I can't seem… >>> More
Windows 7 Samba issue

as seen on Server Fault - Search for 'Server Fault'
We have a strange samba issue affecting only one user. Our samba setup is as follow : Red Hat Enterprise Linux Server release 5.4 (Tikanga) - Samba Server Samba version 3.0.33-3.14.el5 - Samba version Domain Controller WIN2008R2 Standard -… >>> More