Lachlan Pollock
2006-Sep-01 08:01 UTC
[Samba] ads_kinit_password failed: Preauthentication failed
Hi,
I am have compiled samba 3.0.23b (MIT Kerberos 1.5.1) on Solaris 10.
I am unable to join the ads domain.
net ads testjoin returns the following output...
[2006/09/01 17:25:17, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password ARTEMISIA$@UNIMELB.EDU.AU failed: Preauthentication
failed
[2006/09/01 17:25:17, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password ARTEMISIA$@UNIMELB.EDU.AU failed: Preauthentication
failed
[2006/09/01 17:25:17, 0] utils/net_ads.c:ads_startup(281)
ads_connect: Preauthentication failed
Join to domain is not valid
I have what looks like a valid ticket in klist...
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <username>@UNIMELB.EDU.AU
Valid starting Expires Service principal
01/09/2006 14:00 02/09/2006 00:00 krbtgt/UNIMELB.EDU.AU@UNIMELB.EDU.AU
renew until 08/09/2006 14:00
01/09/2006 14:39 02/09/2006 00:00 cres-dc1$@UNIMELB.EDU.AU
renew until 08/09/2006 14:00
01/09/2006 17:06 02/09/2006 00:00 dc25$@UNIMELB.EDU.AU
renew until 08/09/2006 14:00
My krb5.conf maps the realm as follows...
[libdefaults]
default_realm = UNIMELB.EDU.AU
# dns_lookup_realm = false
# dns_lookup_kdc = false
[realms]
UNIMELB.EDU.AU = {
kdc = adk1.unimelb.edu.au:88
kdc = adk2.unimelb.edu.au:88
default_domain = unimelb.edu.au
}
[domain_realm]
.unimelb.edu.au = UNIMELB.EDU.AU
unimelb.edu.au = UNIMELB.EDU.AU
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[kdc]
profile = /etc/krb5/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
and my smb.conf is...
[global]
workgroup = UNIMELB
server string = 'new potter'
netbios name = ARTEMISIA
hosts allow = 127. 128.250.
security = ADS
realm = UNIMELB.EDU.AU
local master = no
domain master = no
use kerberos keytab = yes
wins server = 128.250.144.64
password server = dc25.unimelb.edu.au
idmap uid = 1000-29999
idmap gid = 1000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/false
client use spnego = yes
My DNS domain is different from the AD domain.
The computer account is newly created and exists before I testjoin.
If I ignore the error and try to join the AD computer account becomes
disabled.
I have debug level 10 logs available.
Thanks in advance for any assistance.
Cheers
Lachlan
--
*************************************************************
Lachlan Pollock mailto:lachlan.pollock at unimelb.edu.au
Systems Administrator, ArtsIT, Faculty of Arts
University of Melbourne, Victoria 3010, AUSTRALIA
*************************************************************
Aaron Kincer
2006-Sep-01 13:27 UTC
[Samba] ads_kinit_password failed: Preauthentication failed
Lachlan,
Try these settings to help:
client use spnego = no
server signing = auto
client signing = auto
Let me know if it works.
Aaron Kincer
Aaron Kincer
2006-Sep-01 13:31 UTC
[Samba] ads_kinit_password failed: Preauthentication failed
Lachlan, One more thing--make sure that your Samba server and your domain servers are in step with the correct time (NTP helps). If your Samba server attempts to authenticate against the domain and doesn't have the correct time, authentication can (and usually does) fail from what I've seen with ADS on Windows 2003 (native mode). I run into that problem occasionally when for one reason or another, RHEL decides to stop polling NTP to update the time and loses time (RHEL on VMWare is screwy BTW). Hope that helps. Aaron Kincer
Jerry, I have more information on the behavior. I'm going to send this to the list as well. I have set up a test environment running Ubuntu 6.06 server with Samba 3.0.22 to make sure there isn't anything bug specific going on since Red Hat seems to use an older version (their own back-port flavor of 3.0.10). The setting of the archive bit by applications seems a bit strange. It seems some applications do and some don't. Will set the archive bit on edit ------------------------------ Wordpad OpenOffice.org Will not set the archive bit on edit ---------------------------------- Notepad Microsoft Word My first very uneducated guess is that the mechanism the programs use to actually modify the file on disk and save changes is different in a way that breaks archive bit behavior on Samba for some and not others. I'll keep digging into Google, but meanwhile back at the ranch, any ideas? Thanks, Aaron Gerald (Jerry) Carter wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Aaron Kincer wrote: > > >> Figures. They have a surprisingly negative view of Samba. >> I am not extrapolating, I'm going by what a support >> tech said on the phone. Not sure what their issue is. >> My guess would be that either they have an >> upcoming service of their own to compete with >> Samba or they've gotten burned by using old >> packages and having to support them. >> > > There's a couple of things at play. First is that > RH never updates packages after a RHEL release. > This is not specific to Samba. So the KB articles were > in fact a quick workaround for that version. But the > issues have since been fixed. > > >> Either way, I've got that set to no. You think I should >> set it to yes? I'll give it a shot after business hours >> today. >> > If you are on a recent version of Samba, then yeah. > Just let the default values be your guide. > > > > > >> Could that be causing me to have failure with setting/clearing >> the archive bit? I noticed that my own user account caused >> this log message despite being a member of the >> read/write group on a file: >> >> akincer opened file personal/foo.TXT read=Yes write=No (numopen=3) >> > > Probably not the SPNEGO setting. But take a look at the > "map readonly" option. It could be a read only DOS bit that > is the problems. > > > > > > jerry > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.4 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFE+ImeIR7qMdg1EfYRAnP5AJ0TfOASg5YZi6s6/4WX5VV6Y4cqRACeLYw3 > 5e0Myw/1MU3IjocmfhykZGY> =DrLr > -----END PGP SIGNATURE----- > >
Lachlan Pollock
2006-Sep-04 00:59 UTC
[Samba] RE: ads_kinit_password failed: Preauthentication failed
Hi, Thanks for the replies. I hope this reply ends in the right thread. and I am sorry to Markus for hijacking your previous thread. I have updated to version 3.0.23c, but the problem remains. Thanks for the suggestions Aaron, I am running ntp. The DC's are running something similar. We are all synchronised off the same time servers. Gerald (Jerry) Carter wrote...>My guess is that there are multiple DCs and we are >dealing with a period of inconsistency between DCs.There are 7 DC's in the domain. Local DC's synchronise every 5 minutes, but 4 of the DC's are on slower WAN links and only synchronise overnight. (I am not sure what the collective noun for these things are) My 'password server' host is the preferred DC. Here is one attempt from net ads testjoin -d 10... [2006/09/04 10:42:00, 6] libads/ldap.c:ads_find_dc(224) ads_find_dc: looking for realm 'UNIMELB.EDU.AU' [2006/09/04 10:42:00, 8] libsmb/namequery.c:get_sorted_dc_list(1551) get_sorted_dc_list: attempting lookup using [ads] [2006/09/04 10:42:00, 10] lib/gencache.c:gencache_get(312) Cache entry with key = SAF/DOMAIN/UNIMELB.EDU.AU couldn't be found [2006/09/04 10:42:00, 5] libsmb/namequery.c:saf_fetch(105) saf_fetch: failed to find server for "UNIMELB.EDU.AU" domain [2006/09/04 10:42:00, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: ", dc25.unimelb.edu.au" [2006/09/04 10:42:00, 10] libsmb/namequery.c:internal_resolve_name(1132) internal_resolve_name: looking up dc25.unimelb.edu.au#20 [2006/09/04 10:42:00, 10] lib/gencache.c:gencache_get(287) Returning valid cache entry: key = NBT/DC25.UNIMELB.EDU.AU#20, value = 128.250.6.95:0, timeout = Mon Sep 4 10:52:34 2006 [2006/09/04 10:42:00, 5] libsmb/namecache.c:namecache_fetch(201) name dc25.unimelb.edu.au#20 found. [2006/09/04 10:42:00, 10] libsmb/namequery.c:remove_duplicate_addrs2(408) remove_duplicate_addrs2: looking for duplicate address/port pairs [2006/09/04 10:42:00, 4] libsmb/namequery.c:get_dc_list(1529) get_dc_list: returning 1 ip addresses in an ordered list [2006/09/04 10:42:00, 4] libsmb/namequery.c:get_dc_list(1530) get_dc_list: 128.250.6.95:389 [2006/09/04 10:42:00, 5] libads/ldap.c:ads_try_connect(127) ads_try_connect: sending CLDAP request to 128.250.6.95 (realm: UNIMELB.EDU.AU)[2006/09/04 10:42:00, 10] libsmb/namequery.c:saf_store(71) saf_store: domain = [UNIMELB], server = [128.250.6.95], expire = [1157331420] [2006/09/04 10:42:00, 10] lib/gencache.c:gencache_set(131) Adding cache entry with key = SAF/DOMAIN/UNIMELB; value = 128.250.6.95 and timeout = Mon Sep 4 10:57:00 2006 (900 seconds ahead) [2006/09/04 10:42:00, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 128.250.6.95 [2006/09/04 10:42:00, 4] libads/ldap.c:ads_current_time(2262) time offset is 0 seconds [2006/09/04 10:42:00, 4] libads/sasl.c:ads_sasl_bind(468) Found SASL mechanism GSS-SPNEGO [2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name =dc25$@UNIMELB.EDU.AU [2006/09/04 10:42:00, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2006/09/04 10:42:00, 10] libads/kerberos.c:kerberos_kinit_password_ext(89) kerberos_kinit_password: using MEMORY:net_ads as ccache [2006/09/04 10:42:00, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password ARTEMISIA$@UNIMELB.EDU.AU failed: Preauthentication failed [2006/09/04 10:42:00, 0] utils/net_ads.c:ads_startup(281) ads_connect: Preauthentication failed Join to domain is not valid [2006/09/04 10:42:00, 2] utils/net.c:main(988) return code = -1 Cheers Lachlan -- ************************************************************* Lachlan Pollock mailto:lachlan.pollock at unimelb.edu.au Systems Administrator, ArtsIT, Faculty of Arts University of Melbourne, Victoria 3010, AUSTRALIA *************************************************************
Lachlan
2006-Sep-06 01:25 UTC
[Samba] RE: ads_kinit_password failed: Preauthentication failed
Just curious, why is this thread so broken? What did I do wrong in my post? Lachlan wrote:> > Hi, > > Thanks for the replies. I hope this reply ends in the right thread. > and I am sorry to Markus for hijacking your previous thread. > > -- snip --- > >-- View this message in context: http://www.nabble.com/ads_kinit_password-failed%3A-Preauthentication-failed-tf2202561.html#a6163445 Sent from the Samba - General forum at Nabble.com.
SOLVED IT !!! Thank you for all help. Special thanks for Joseph Garret. I had to resort to version 3.0.20. I also may have had some problems with the native samba and kerberos libraries and tidied up the environment paths for the build. (and clean out all installation paths) Cheers Lachlan Aaron Kincer wrote:> > Lachlan, > > Try these settings to help: > > client use spnego = no > server signing = auto > client signing = auto > > Let me know if it works. > > Aaron Kincer > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > >-- View this message in context: http://www.nabble.com/ads_kinit_password-failed%3A-Preauthentication-failed-tf2202561.html#a6260931 Sent from the Samba - General forum at Nabble.com.