kerberos problem

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I am receiving the following Kerberos errors. I think this is causing other problems with my network.

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.DOMAIN.org. The target name used was cifs/SERVER1.DOMAIN.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.ORG), and the client realm. Please contact your system administrator."

server.DOMAIN.org (not the actual domain name) is a newly installed Windows Server 2003. SERVER1.DOMAIN.org is an old windows 2000 server that was removed from the network. Before the server was removed I demoted it from being a domain controller.

I have found a couple of mentions of this kerberos error ... but none offer any information on how to fix the problem.

Any help would be appreciated.

Thank you.

Jim Dinda

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

i have actually made this error go away. (there were some DNS settings that were wrong in the network including a leftover DNS host record for a non-existant server).

However, now I am having trouble logging a Mac w/ OS X into that Windows Server 2003 server.

On the mac I get the following error in the console:

<snip>

mount_smbfs: No credentials cache found krb5_cc_get_principal


mount_smbfs: No credentials cache found krb5_cc_get_principal


mount_smbfs: tree connect phase failed: syserr = Permission denied

mount_smbfs: could not login to server SERVER: syserr = Permission denied

<snip>

The Windows Server 2003 doesn't show any Kerberos errors in the Event Viewer. I have added Registry Entries to enable Kerberos logging but still don't see any entries.

The same mac can log into a Windows 2000 Server on the same network in the same domain without difficulty or errors.

I will continue to research ... but any help that points me in the right direction would be helpful.

Thank you in advance.

Best,

Jim Dinda


"Jim Dinda" wrote:

> I am receiving the following Kerberos errors. I think this is causing other problems with my network.
>
> "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.DOMAIN.org. The target name used was cifs/SERVER1.DOMAIN.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.ORG), and the client realm. Please contact your system administrator."
>
> server.DOMAIN.org (not the actual domain name) is a newly installed Windows Server 2003. SERVER1.DOMAIN.org is an old windows 2000 server that was removed from the network. Before the server was removed I demoted it from being a domain controller.
>
> I have found a couple of mentions of this kerberos error ... but none offer any information on how to fix the problem.
>
> Any help would be appreciated.
>
> Thank you.
>
> Jim Dinda

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I am not familiar with Mac logons to a Windows domain, but by default Windows
2003 requires smb signing which Mac may not be able to accommodate. If you go
into the appropriate security policy such as domain controller for domain
controller and domain or local for other domain members look for the option
server:digitally sign communications (always) and set it to disable. That would
be in security options under security settings/local policies. You may also have
to take a look at your lan manager authentication level security option. W2K by
default is configured to send lm and ntlm responses which is the least secure,
but most compatible. I don't know what Mac's use as authentication protocol -
probably ntlm?? --- Steve



"Jim Dinda" <JimDinda@discussions.microsoft.com> wrote in message
news:C9CE9C1A-27AA-4A51-8FBB-46A2B94F5522@microsoft.com...
> i have actually made this error go away. (there were some DNS settings that
were wrong in the network including a leftover DNS host record for a
non-existant server).
>
> However, now I am having trouble logging a Mac w/ OS X into that Windows
Server 2003 server.
>
> On the mac I get the following error in the console:
>
> <snip>
>
> mount_smbfs: No credentials cache found krb5_cc_get_principal
>
>
> mount_smbfs: No credentials cache found krb5_cc_get_principal
>
>
> mount_smbfs: tree connect phase failed: syserr = Permission denied
>
> mount_smbfs: could not login to server SERVER: syserr = Permission denied
>
> <snip>
>
> The Windows Server 2003 doesn't show any Kerberos errors in the Event Viewer.
I have added Registry Entries to enable Kerberos logging but still don't see any
entries.
>
> The same mac can log into a Windows 2000 Server on the same network in the
same domain without difficulty or errors.
>
> I will continue to research ... but any help that points me in the right
direction would be helpful.
>
> Thank you in advance.
>
> Best,
>
> Jim Dinda
>
>
> "Jim Dinda" wrote:
>
> > I am receiving the following Kerberos errors. I think this is causing other
problems with my network.
> >
> > "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/server.DOMAIN.org. The target name used was cifs/SERVER1.DOMAIN.org. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to identically
named machine accounts in the target realm (DOMAIN.ORG), and the client realm.
Please contact your system administrator."
> >
> > server.DOMAIN.org (not the actual domain name) is a newly installed Windows
Server 2003. SERVER1.DOMAIN.org is an old windows 2000 server that was removed
from the network. Before the server was removed I demoted it from being a
domain controller.
> >
> > I have found a couple of mentions of this kerberos error ... but none offer
any information on how to fix the problem.
> >
> > Any help would be appreciated.
> >
> > Thank you.
> >
> > Jim Dinda

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

yes that's true ... i already disabled that domain controller group policy option.

Since I am getting this Kerberos error on the mac (which uses Samba) ... I believe it uses Kerberos to authenticate.

I'm still having the same problem. It also doesn't let me authenticate with Entourage to the same server (which has exchange on it too). I CAN connect using Remote Desktop Connection from the Mac which does not seem to use Kerberos when connecting.

again ... any help in troubleshooting kerberos would be helpful.

Thank you for this reply Steven.

Best,

Jim Dinda



"Steven Umbach" wrote:

> I am not familiar with Mac logons to a Windows domain, but by default Windows
> 2003 requires smb signing which Mac may not be able to accommodate. If you go
> into the appropriate security policy such as domain controller for domain
> controller and domain or local for other domain members look for the option
> server:digitally sign communications (always) and set it to disable. That would
> be in security options under security settings/local policies. You may also have
> to take a look at your lan manager authentication level security option. W2K by
> default is configured to send lm and ntlm responses which is the least secure,
> but most compatible. I don't know what Mac's use as authentication protocol -
> probably ntlm?? --- Steve
>
>
>
> "Jim Dinda" <JimDinda@discussions.microsoft.com> wrote in message
> news:C9CE9C1A-27AA-4A51-8FBB-46A2B94F5522@microsoft.com...
> > i have actually made this error go away. (there were some DNS settings that
> were wrong in the network including a leftover DNS host record for a
> non-existant server).
> >
> > However, now I am having trouble logging a Mac w/ OS X into that Windows
> Server 2003 server.
> >
> > On the mac I get the following error in the console:
> >
> > <snip>
> >
> > mount_smbfs: No credentials cache found krb5_cc_get_principal
> >
> >
> > mount_smbfs: No credentials cache found krb5_cc_get_principal
> >
> >
> > mount_smbfs: tree connect phase failed: syserr = Permission denied
> >
> > mount_smbfs: could not login to server SERVER: syserr = Permission denied
> >
> > <snip>
> >
> > The Windows Server 2003 doesn't show any Kerberos errors in the Event Viewer.
> I have added Registry Entries to enable Kerberos logging but still don't see any
> entries.
> >
> > The same mac can log into a Windows 2000 Server on the same network in the
> same domain without difficulty or errors.
> >
> > I will continue to research ... but any help that points me in the right
> direction would be helpful.
> >
> > Thank you in advance.
> >
> > Best,
> >
> > Jim Dinda
> >
> >
> > "Jim Dinda" wrote:
> >
> > > I am receiving the following Kerberos errors. I think this is causing other
> problems with my network.
> > >
> > > "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/server.DOMAIN.org. The target name used was cifs/SERVER1.DOMAIN.org. This
> indicates that the password used to encrypt the kerberos service ticket is
> different than that on the target server. Commonly, this is due to identically
> named machine accounts in the target realm (DOMAIN.ORG), and the client realm.
> Please contact your system administrator."
> > >
> > > server.DOMAIN.org (not the actual domain name) is a newly installed Windows
> Server 2003. SERVER1.DOMAIN.org is an old windows 2000 server that was removed
> from the network. Before the server was removed I demoted it from being a
> domain controller.
> > >
> > > I have found a couple of mentions of this kerberos error ... but none offer
> any information on how to fix the problem.
> > >
> > > Any help would be appreciated.
> > >
> > > Thank you.
> > >
> > > Jim Dinda
>
>
>