samba - Dec 2006 - winbindd_raw_kerberos_login: kinit failed

Hi,
 
I have set up  Samba 3.0.23d on Linux Suse NLD9  with AD idmap backend
with security = ads and rfc2307.
 
At every login there is a log message in log.wb-MYDOMAIN :
 
[2006/12/14 17:46:51, 1]
nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(510)
  winbindd_raw_kerberos_login: kinit failed for 'myuser@MYDOMAIN.COM'
with: Invalid argument (22)
 
with debug level 10:
 
winbindd_dual_pam_auth: domain: MYDOMAIN last was online
winbindd_dual_pam_auth_kerberos
is_myname("MYDOMAIN") returns 0
using ccache: FILE:/tmp/krb5cc_55555
winbindd_raw_kerberos_login: uid is 55555
kerberos_kinit_password: using FILE:/tmp/krb5cc_55555 as ccache
winbindd_raw_kerberos_login: kinit failed for 'myuser@MYDOMAIN.COM'
with: Invalid argument (22)
winbindd_raw_kerberos_login: could not remove ccache
winbindd_dual_pam_auth_kerberos failed: NT_STATUS_UNSUCCESSFUL


Obviously winbindd_raw_kerberos login fails. 
 
I suppose it is some call in kerberos_kinit_password_ext that returns
with error , but I have not found which one . 
 
The question is what argument is invalid, tcpdump gives some info on
Unknown encryption types 0x11 and 0x12, and failed preauthentication.
Login succeeds eventually, but this is samlogon.
 
Does anyone have a hint about this or how to troubleshoot it further.
 
/Anders

Hi, 

As a follow-up:

The problem exists with the setup below :  

OS: Linux (e.g. NLD9/SLED10) 
Samba: samba-3.0.23d compiled with heimdal-0.7.1
Pam_krb5 is installed.
Pam-modules-line: auth    sufficient      pam_winbind.so use_first_pass
krb5_auth krb5_ccache_type=FILE cached_login
AD-server: Win 2003 with R2 

The indicating error message : 

winbindd_raw_kerberos_login: kinit failed for 'myuser@MYDOMAIN.COM'
with: Invalid argument (22)


I believe that this should work , i.e. kereberos cached login with
winbind towards AD 2003 ?
 
As far as I can see, kinit and klist works from command line, but not
from winbind. From the winbind log it seems that winbind/kinit looks for
the correct cache-file :

kerberos_kinit_password: using FILE:/tmp/krb5cc_55555 as ccache

This file does not exist, but is not created either, and subsequently
not possible to remove.

Is there anybody who could shed light on this this ?


/Anders

-----Original Message-----
From: samba-bounces+anders.strandberg=tietoenator.com@lists.samba.org
[mailto:samba-bounces+anders.strandberg=tietoenator.com@lists.samba.org]
On Behalf Of Anders.Strandberg@tietoenator.com
Sent: den 14 december 2006 18:39
To: samba@lists.samba.org
Subject: [Samba] winbindd_raw_kerberos_login: kinit failed 

Hi,
 
I have set up  Samba 3.0.23d on Linux Suse NLD9  with AD idmap backend
with security = ads and rfc2307.
 
At every login there is a log message in log.wb-MYDOMAIN :
 
[2006/12/14 17:46:51, 1]
nsswitch/winbindd_pam.c:winbindd_raw_kerberos_login(510)
  winbindd_raw_kerberos_login: kinit failed for 'myuser@MYDOMAIN.COM'
with: Invalid argument (22)
 
with debug level 10:
 
winbindd_dual_pam_auth: domain: MYDOMAIN last was online
winbindd_dual_pam_auth_kerberos
is_myname("MYDOMAIN") returns 0
using ccache: FILE:/tmp/krb5cc_55555
winbindd_raw_kerberos_login: uid is 55555
kerberos_kinit_password: using FILE:/tmp/krb5cc_55555 as ccache
winbindd_raw_kerberos_login: kinit failed for 'myuser@MYDOMAIN.COM'
with: Invalid argument (22)
winbindd_raw_kerberos_login: could not remove ccache
winbindd_dual_pam_auth_kerberos failed: NT_STATUS_UNSUCCESSFUL


Obviously winbindd_raw_kerberos login fails. 
 
I suppose it is some call in kerberos_kinit_password_ext that returns
with error , but I have not found which one . 
 
The question is what argument is invalid, tcpdump gives some info on
Unknown encryption types 0x11 and 0x12, and failed preauthentication.
Login succeeds eventually, but this is samlogon.
 
Does anyone have a hint about this or how to troubleshoot it further.
 
/Anders
 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba