Mariano Sokal
2006-Jul-07 18:50 UTC
[Samba] get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: Preauthentication failed
Hello from Buenos Aires. I am getting the following error when I do the net ads join command: get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: Preauthentication failed I am running Debian, kernel 2.4.18 (geez, I should upgrade). I searched everywhere for this error but I can?t find any solution. Wbinfo -u works fine. kinit works fine. net ads testjoin says "Join is OK". I see the computer on the AD Server (win2k). However I can?t access to the shared resources, Any ideas? Best regards, Mariano
Gerald (Jerry) Carter
2006-Jul-07 22:50 UTC
[Samba] get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: Preauthentication failed
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mariano Sokal wrote:> get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: > Preauthentication failedDo you have more than one DC? I'm cleaning up this code some right now actually. The failure is coming when net is trying to derive the salt used for DES keys. It's kind of messy at the moment. My guess is that you access failures may be related to something other than this message. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEruUtIR7qMdg1EfYRAqWDAJ9XlyNTlOc/LzSdVtTANUeYyhLvCgCgyNXN LRlAPAoTH1ETYWk/KD3cHOU=raKs -----END PGP SIGNATURE-----
Mariano Sokal
2006-Jul-07 22:57 UTC
[Samba] get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: Preauthentication failed
> get_service_ticket: kerberos_kinit_passwordULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed:> Preauthentication failed>Do you have more than one DC? I'm cleaning up this code some >right now actually. The failure is coming when net is trying >to derive the salt used for DES keys. It's kind of messy at the >moment. My guess is that you access failures may be related >to something other than this message.Jerry: Yes, we have 2 DC (darthsith and darthvader ;) ) Regards, Mariano
Mariano Sokal
2006-Jul-07 23:04 UTC
[Samba] get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: Preauthentication failed
Mariano Sokal wrote:>> get_service_ticket: kerberos_kinit_password > ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: >> Preauthentication failed > >> Do you have more than one DC? I'm cleaning up this code some >> right now actually. The failure is coming when net is trying >> to derive the salt used for DES keys. It's kind of messy at the >> moment. My guess is that you access failures may be related >> to something other than this message. > > > Jerry: > > Yes, we have 2 DC (darthsith and darthvader ;) )>Could be a replication issue. Sometimes the krb5 libs >don't always communicate with the same DC as smbd. >We're trying to fix this some in 3.0.23.So there?s no way at this moment that I can make this computer join the ADS? What if I turn one DC off and make the computer join... would that work when I turn the second DC back on? Did I say something stupid? :) Regards, Mariano
Mariano Sokal
2006-Jul-07 23:14 UTC
[Samba] get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: Preauthentication failed
>>> Yes, we have 2 DC (darthsith and darthvader ;) ) > >> Could be a replication issue. Sometimes the krb5 libs >> don't always communicate with the same DC as smbd. >> We're trying to fix this some in 3.0.23. > > So there?s no way at this moment that I can make this > computer join the ADS? What if I turn one DC off and make > the computer join... would that work when I turn the > second DC back on? Did I say something stupid? :)>I thought the join finished ok and 'net ads testjoin' >was happy. If that is the case you are joined.Yes, it works again. I tried so many things that sometimes it worked, sometimes not. But it works now.>The access problem is a different issue I think. You >didn't really give enough information to know what the >access problem was? Can you access the server via \\ip.add.re.ss ? >If so, NTLM is working.It asks me for user and password but always rejects me. Last error was FAILED with error NT_STATUS_NO_SUCH_USER getent passwd now does not show me any user from the domain. Mariano
Mariano Sokal
2006-Jul-10 16:27 UTC
[Samba] get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: Preauthentication failed
>Have you linked the libnss_winbind.so files correctly?I just did apt-get install winbind, I run Debian. How can I know if that is done? Regards, Mariano
Henrik Zagerholm
2006-Jul-10 19:15 UTC
[Samba] get_service_ticket: kerberos_kinit_password ULISES$@SYSTEMMASTER.COM.AR@SYSTEMMASTER.COM.AR failed: Preauthentication failed
Read this one thoroughly http://us3.samba.org/samba/docs/man/Samba- HOWTO-Collection/winbind.html it goes through how to use winbind. Cheers,henrik 10 jul 2006 kl. 18:29 skrev Mariano Sokal:>> Have you linked the libnss_winbind.so files correctly? > > I just did apt-get install winbind, I run Debian. > How can I know if that is done? > > Regards, > Mariano >