Andreas Dan Larsson
2009-Sep-03 15:10 UTC
[Samba] How do I tell winbind to always send kerberos pre-auth to Active Directory DC
Hi List, I have reported this issue before but I did not get an answer, ill try one more time before I register it as a bug incase I am doing something wrong. I'm evaluating the use of samba/winbind to join our linuxhosts into active directory. My testsetup use win2k3 R2 with rfc2307 schema fields populated on the server side. For the most part the project is humming along nicely. However, I have noticed that the domaincontrollers get spammed with a lot of messages in the event log. The events look like this: Failure Audit - Security - 675 Pre-Authentication failed: User Name: machineaccount$ User ID: DOMAIN\\machineaccount$ Service Name: krgtgt/DOMAIN Pre-Authentication type: 0x0 Failure Code: 0x19 Client Address: ipofclient This message is not fatal in any way, all it means is that the client did not pre-authenticate it self to the domaincontroller. The domaincontroller responds to the client that it needs pre-auth to proceed, the client then supply the pre-auth info. So the "error" in it self is quite harmless, my concern is that its appearing a bit to often. Some clients log this message to the domaincontroller up to 10-20 times a minute, could this indicate that something is broken? My other concern is that this message will totally flood the logs of the domaincontrollers in the event of a full scale rollout on all linux clients. The solution i believe is to always send KRB5_PADATA_ENC_TIMESTAMP as pre-auth when connecting to a Active Directory domain controller. I have searched for a config option to enable this behavior without finding one. I have also searched the source code to see where the connection to the domaincontroller is set up. I have however been unsuccessful in figuring out how i tell sasl to make the connection using pre-auth. Unless i have misunderstood my problem i believe this will benefit anyone that integrate their samba machines into Active Directory. Other solutions i found via google solve the problem by disabling pre-auth all together. This solution is totally unacceptable from a security point of view. For reference i have used samba 3.2.5 from debian lenny and samba 3.3.3 from lenny backports to test this. Any advice on how to proceed would be appreciated. Andreas Larsson
Volker Lendecke
2009-Sep-03 15:27 UTC
[Samba] How do I tell winbind to always send kerberos pre-auth to Active Directory DC
On Thu, Sep 03, 2009 at 05:10:38PM +0200, Andreas Dan Larsson wrote:> This message is not fatal in any way, all it means is that > the client did not pre-authenticate it self to the > domaincontroller. The domaincontroller responds to the > client that it needs pre-auth to proceed, the client then > supply the pre-auth info. So the "error" in it self is > quite harmless, my concern is that its appearing a bit to > often. Some clients log this message to the > domaincontroller up to 10-20 times a minute, could this > indicate that something is broken?Ok, 10-20 times a minute is definitely too much, you would need to look at traces why it happens so often. Apart from that, this behaviour is something winbind has no direct control over, this is done by the Kerberos libraries we use. You might want to look at the docs for krb5.conf if there's any setting you can use to stop the non-preauth requests. I'm afraid I don't have those docs handy right now, and I'm behind a slow mobile connection. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20090903/a500e92f/attachment.pgp>