samba - May 2005 - Samba vs ActiveDirectory Kerberos error message

Hi,

When validating users on my Linux system against an ActiveDirectory,
the Windows event log are filled with messages like these (Windows
Event ID 675):

Pre-authentication failed:
      User Name:            linux$
      User ID:              KK\linux$
      Service Name:               krbtgt/KK.LOCAL
      Pre-Authentication Type:  0x0
      Failure Code:               0x19
      Client Address:             1.2.3.4


(1.2.3.4 is the IP address of the Linux machine, LINUX the hostname of
the Linux machine).

The message above comes at every request from the Linux machine (every 5
minutes on this installation). If I am validating a user, the same
message is shown for the user like this (user name validated=test):

Pre-authentication failed:
      User Name:            test$
      User ID:              KK\test$
      Service Name:               krbtgt/KK.LOCAL
      Pre-Authentication Type:  0x0
      Failure Code:               0x19
      Client Address:             1.2.3.4

Messages logged on behalf of a user may be disabled by deactivating
pre-authentification for each user. But I cannot find any place in
ActiveDirectory to disable it for the machine account.

What is missing ?

Is it possible to deactivate pre-authentification on the Linux (or
Windows) side to avoid these messages ?



Installation information:
==================================================
I have installed Samba 3.0.9-2.3 and the configuration files below on my
Suse 9.2 system.

I issued the following commands to establish connection to the
ActiveDirectory on the Windows server named ADMCONTROLLER:

smbpasswd -a root
kinit admuser
net use ads -Uadmuser

The Linux machine was added and user names may perfectly well be
validated against the ActiveDirectory hereafter.

I am not running KDC locally.

KK is our local domain handled by the domain controller ADMCONTROLLER.
Test commands also works well as far as I can see:

# net ads testjoin
Join is OK

# net ads status
(misc informations, no errors)

# net ads user
(user list)

Files used for the configuration:

/etc/samba/smb.conf:

[global]
    workgroup = KK
    realm = KK.LOCAL
    security = ADS
    map to guest = Bad User
    username map = /etc/samba/smbusers
    printcap cache time = 750
    logon path = \\%L\profiles\.msprofile
    logon drive = P:
    logon home = \\%L\%U\.9xprofile
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template homedir = /winhome/%U
    template shell = /bin/bash
    winbind separator = @
    winbind use default domain = yes
    winbind cache time = 900
    winbind enum users = no
    winbind enum groups = no
    printer admin = @ntadmin, root, administrator
    create mask = 0777
    force create mode = 0660
    directory mask = 0777
    force directory mode = 0777
    cups options = raw
    include = /etc/samba/dhcp.conf
    encrypt passwords = yes
    guest account = kkuser
    server string = LINUX filserver

[printers]
    comment = All Printers
    path = /var/tmp
    create mask = 0600
    printable = yes
    browseable = no

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin, root
    force group = ntadmin
    create mask = 0664
    directory mask = 0775

[data]
    comment = Data
    path = /data
    read only = no
    guest ok = yes
     max connections = 0

---eof---

/etc/krb5.conf:

[libdefaults]
    clockskew = 300
    default_realm = KK.LOCAL
   
[realms]
    KK.LOCAL = {
        kdc = ADMCONTROLLER
        default_domain = KK.LOCAL
        kpasswd_server = ADMCONTROLLER
    }

[domain_realm]
    .KK.LOCAL = KK.LOCAL

[logging]
    default = SYSLOG:NOTICE:DAEMON
    kdc = FILE:/var/log/kdc.log
    kadmind = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    retain_after_close = false
    minimum_uid = 0
    debug = false
}

---eof---

/etc/samba/smbusers:

root = administrator

---eof---

/etc/samba/smbpasswd (hex modified in this example):

root:0:52525252525252525252525252552525258237632846842634364834632842662:[U
]:LCT-9371B4CF:

---eof---

/etc/nsswitch.conf:

passwd:    files  winbind
group:    files  winbind
shadow:    files  winbind

hosts:    files dns
networks:    files dns

services:    files
protocols:    files
rpc:    files
ethers:    files
netmasks:    files
netgroup:    files
publickey:    files

bootparams:    files
automount:    files nis
aliases:    files

---eof---


Thanks for your help!

rgds,
Bjarne Maschoreck

I'm seeing the same problem on 3 different Samba versions (on two different 
distributions) as well.  I poked around the HOWTO's and such but
so far haven't found anything to indicate what the problem might be.

It doesn't seem to prevent authentication, but it creates a huge amount of 
noise in the Windows event logs.  I'd be interested in knowing how to
address
this, too.

On Wednesday 25 May 2005 02:27 am, Bjarne Maschoreck
wrote:
> Hi,
>
> When validating users on my Linux system against an ActiveDirectory,
> the Windows event log are filled with messages like these (Windows
> Event ID 675):
>
> Pre-authentication failed:
>       User Name:            linux$
>       User ID:              KK\linux$
>       Service Name:               krbtgt/KK.LOCAL
>       Pre-Authentication Type:  0x0
>       Failure Code:               0x19
>       Client Address:             1.2.3.4
>
>
> (1.2.3.4 is the IP address of the Linux machine, LINUX the hostname of
> the Linux machine).
>
> The message above comes at every request from the Linux machine (every 5
> minutes on this installation). If I am validating a user, the same
> message is shown for the user like this (user name validated=test):
>
> Pre-authentication failed:
>       User Name:            test$
>       User ID:              KK\test$
>       Service Name:               krbtgt/KK.LOCAL
>       Pre-Authentication Type:  0x0
>       Failure Code:               0x19
>       Client Address:             1.2.3.4
>
> Messages logged on behalf of a user may be disabled by deactivating
> pre-authentification for each user. But I cannot find any place in
> ActiveDirectory to disable it for the machine account.
>
> What is missing ?
>
> Is it possible to deactivate pre-authentification on the Linux (or
> Windows) side to avoid these messages ?
>
>
>
> Installation information:
> ==================================================>
> I have installed Samba 3.0.9-2.3 and the configuration files below on my
> Suse 9.2 system.
>
> I issued the following commands to establish connection to the
> ActiveDirectory on the Windows server named ADMCONTROLLER:
>
> smbpasswd -a root
> kinit admuser
> net use ads -Uadmuser
>
> The Linux machine was added and user names may perfectly well be
> validated against the ActiveDirectory hereafter.
>
> I am not running KDC locally.
>
> KK is our local domain handled by the domain controller ADMCONTROLLER.
> Test commands also works well as far as I can see:
>
> # net ads testjoin
> Join is OK
>
> # net ads status
> (misc informations, no errors)
>
> # net ads user
> (user list)
>
> Files used for the configuration:
>
> /etc/samba/smb.conf:
>
> [global]
>     workgroup = KK
>     realm = KK.LOCAL
>     security = ADS
>     map to guest = Bad User
>     username map = /etc/samba/smbusers
>     printcap cache time = 750
>     logon path = \\%L\profiles\.msprofile
>     logon drive = P:
>     logon home = \\%L\%U\.9xprofile
>     idmap uid = 10000-20000
>     idmap gid = 10000-20000
>     template homedir = /winhome/%U
>     template shell = /bin/bash
>     winbind separator = @
>     winbind use default domain = yes
>     winbind cache time = 900
>     winbind enum users = no
>     winbind enum groups = no
>     printer admin = @ntadmin, root, administrator
>     create mask = 0777
>     force create mode = 0660
>     directory mask = 0777
>     force directory mode = 0777
>     cups options = raw
>     include = /etc/samba/dhcp.conf
>     encrypt passwords = yes
>     guest account = kkuser
>     server string = LINUX filserver
>
> [printers]
>     comment = All Printers
>     path = /var/tmp
>     create mask = 0600
>     printable = yes
>     browseable = no
>
> [print$]
>     comment = Printer Drivers
>     path = /var/lib/samba/drivers
>     write list = @ntadmin, root
>     force group = ntadmin
>     create mask = 0664
>     directory mask = 0775
>
> [data]
>     comment = Data
>     path = /data
>     read only = no
>     guest ok = yes
>      max connections = 0
>
> ---eof---
>
> /etc/krb5.conf:
>
> [libdefaults]
>     clockskew = 300
>     default_realm = KK.LOCAL
>
> [realms]
>     KK.LOCAL = {
>         kdc = ADMCONTROLLER
>         default_domain = KK.LOCAL
>         kpasswd_server = ADMCONTROLLER
>     }
>
> [domain_realm]
>     .KK.LOCAL = KK.LOCAL
>
> [logging]
>     default = SYSLOG:NOTICE:DAEMON
>     kdc = FILE:/var/log/kdc.log
>     kadmind = FILE:/var/log/kadmind.log
>
> [appdefaults]
> pam = {
>     ticket_lifetime = 1d
>     renew_lifetime = 1d
>     forwardable = true
>     proxiable = false
>     retain_after_close = false
>     minimum_uid = 0
>     debug = false
> }
>
> ---eof---
>
> /etc/samba/smbusers:
>
> root = administrator
>
> ---eof---
>
> /etc/samba/smbpasswd (hex modified in this example):
>
> root:0:52525252525252525252525252552525258237632846842634364834632842662:[U
> ]:LCT-9371B4CF:
>
> ---eof---
>
> /etc/nsswitch.conf:
>
> passwd:    files  winbind
> group:    files  winbind
> shadow:    files  winbind
>
> hosts:    files dns
> networks:    files dns
>
> services:    files
> protocols:    files
> rpc:    files
> ethers:    files
> netmasks:    files
> netgroup:    files
> publickey:    files
>
> bootparams:    files
> automount:    files nis
> aliases:    files
>
> ---eof---
>
>
> Thanks for your help!
>
> rgds,
> Bjarne Maschoreck