samba - Mar 2008 - kinit succeeded but ads_sasl_spnego_krb5_bind failed

Hi all,

I'm having trouble joining samba to active directory. My samba version is
3.0.28a-35 and krb is  1.6.1-17.el5. It's running on centos 5, kernel
version 2.6.18-53.1.14.el5. It's running on vmware server by the way if that
is of any significance.

The specific error that I get are as follows:

when testjoining the domain:

[2008/03/18 04:34:07, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password AD2K7$@DOMAIN.COM failed: Preauthentication failed
Join to domain is not valid: Logon failure

<DOMAIN.COM> is a valid domain, on a windows 2003 r2 server. It's
already
added to the hosts file as well as configured as the DNS server. hostname of
this host can also be resovled.

This is strange, considering I can get the ticket using kinit. I know some
people have posted about this before, but it was on a previous samba
version. I don't know if it is with samba versions, but i also upgraded from
3.0.25b, since i found somewhere in this post that it's a buggy version.

On last thing, I also got the same problem on a Centos 4.4 installation,
also with installed 3.0.28a-35.

Any help will be highly appreciated. I'm willing to give you all the
required configuration files if you need it.

I experienced this problem on a Red Hat Enterprise Linux 5.1 system when
running Samba 3.0.25b-1.el5_1.4, the RHEL supplied version of Samba.
Previously I was able to join this same system to our AD domain when it
was running RHEL 5/Samba 3.0.23c-2.el5.2.0.2. After this system was
upgraded to RHEL 5.1/Samba 3.0.25b-1.el5_1.4 I was not able re-join this
system to our AD domain.

I ended up downgrading to the /usr/bin/net binary to one from Samba
3.0.23c-2.el5.2.0.2, the previous RHEL supplied version. I did that by
downloading samba-common-3.0.23c-2.el5.2.0.2.i386.rpm from Red Hat and
extracting /usr/bin/net from the rpm by running:

"rpm2cpio samba-common-3.0.23c-2.el5.2.0.2.i386.rpm | cpio -iv
--make-directories ./usr/bin/net"

That extracted the 3.0.23c-2.el5.2.0.2 version of /usr/bin/net into my
cwd. Then I ran "mv /usr/bin/net /usr/bin/net.bak" to backup the
3.0.25b-1.el5_1.4 version and then copied the older /usr/bin/net binary
that I extracted from the rpm to /usr/bin. Once I did that, I was able
to rejoin this system to our domain.

Andrew Philipoff
Programmer Analyst
Information Technology Services
Department of Medicine
University of California, San Francisco
Phone: 415-476-1344
Help Desk: 415-476-6827
http://domsupport.ucsf.edu/

-----Original Message-----
From: samba-bounces+aphilipoff=medicine.ucsf.edu@lists.samba.org
[mailto:samba-bounces+aphilipoff=medicine.ucsf.edu@lists.samba.org] On
Behalf Of Francis Lee Mondia
Sent: Monday, March 17, 2008 5:38 PM
To: samba@lists.samba.org
Subject: [Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed

Hi all,

I'm having trouble joining samba to active directory. My samba version
is
3.0.28a-35 and krb is  1.6.1-17.el5. It's running on centos 5, kernel
version 2.6.18-53.1.14.el5. It's running on vmware server by the way if
that
is of any significance.

The specific error that I get are as follows:

when testjoining the domain:

[2008/03/18 04:34:07, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password AD2K7$@DOMAIN.COM failed: Preauthentication
failed
Join to domain is not valid: Logon failure

<DOMAIN.COM> is a valid domain, on a windows 2003 r2 server. It's
already
added to the hosts file as well as configured as the DNS server.
hostname of
this host can also be resovled.

This is strange, considering I can get the ticket using kinit. I know
some
people have posted about this before, but it was on a previous samba
version. I don't know if it is with samba versions, but i also upgraded
from
3.0.25b, since i found somewhere in this post that it's a buggy version.

On last thing, I also got the same problem on a Centos 4.4 installation,
also with installed 3.0.28a-35.

Any help will be highly appreciated. I'm willing to give you all the
required configuration files if you need it.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba