samba - Apr 2015 - Cannot authenticate the administrator account

SUCCESS.........up to the point of kerberos tickets.
((What a difference a night's sleep can do for logic neurons.))

Everything works with the provisioning now except for kerberos.
The setup follows and ends with the kinit, klist, and kvno errors/failures:

[root at dc1 ~]# hostname -f
dc1.internal.example.com
[root at dc1 ~]# hostname -s
dc1
[root at dc1 ~]# hostname -d
internal.example.com
[root at dc1 ~]# hostnamectl status
   Static hostname: dc1.internal.example.com
         Icon name: computer-server
           Chassis: server
        Machine ID: 57ccaldjfre9tuq34uadl5fjgq9823uadog
           Boot ID: f4c1eqa9e8rt709q23y849tyqghlkqdhfg9
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-229.1.2.el7.x86_64
      Architecture: x86_64
[root at dc1 ~]# cat /etc/resolv.conf
domain internal.example.com
search internal.example.com
nameserver 10.10.1.225

[root at dc1 ~]# cat /etc/hosts
127.0.0.1       dc1.internal.example.com    dc1
127.0.0.1       localhost
10.10.1.225     dc1.internal.example.com    dc1

[root at dc1 ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = INTERNAL
        realm = INTERNAL.EXAMPLE.COM
        netbios name = dc1
        interfaces = lo, eno1
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = 75.75.76.76
        idmap_ldb:use rfc2307 = yes


[root at dc1 ~]# smbclient //internal.example.com/netlogon -UAdministrator -c
'ls'
Enter Administrator's password:
Domain=[INTERNAL] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
  .                                   D        0  Thu Apr 30 09:36:14 2015
  ..                                  D        0  Thu Apr 30 09:36:20 2015

                51175 blocks of size 1048576. 48360 blocks available

[root at dc1 ~]# host -t SRV _ldap._tcp.internal.example.com.
_ldap._tcp.internal.example.com has SRV record 0 100 389
dc1.internal.example.com.
[root at dc1 ~]# host -t SRV _kerberos._udp.internal.example.com.
_kerberos._udp.internal.example.com has SRV record 0 100 88
dc1.internal.example.com.
[root at dc1 ~]# host -t A dc1.internal.example.com.
dc1.internal.example.com has address 10.10.1.225
[root at dc1 ~]#

[root at dc1 ~]# kinit administrator at INTERNAL.EXAMPLE.COM
Password for administrator at INTERNAL.EXAMPLE.COM:
kinit: Preauthentication failed while getting initial credentials

[root at dc1 ~]# cat /etc/krb5.conf
[libdefaults]
        default_realm = INTERNAL.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
[root at dc1 ~]# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
[root at dc1 ~]#

[root at dc1 ~]# kvno administrator at INTERNAL.EXAMPLE.COM
kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting
client
principal name
[root at dc1 ~]#

On Thu, 30 Apr 2015, Mike wrote:
> Everything works with the provisioning now except for kerberos.
>
> [root at dc1 ~]# kinit administrator at INTERNAL.EXAMPLE.COM
> Password for administrator at INTERNAL.EXAMPLE.COM:
> kinit: Preauthentication failed while getting initial credentials
In my experience, preauthentication failed typically means you mistyped 
your password. :)

yes,, change the password of the administrator.  ;-) 

and if that does not work, an extra tip, worth a try. 

in smb.conf 
>        interfaces = lo, eno1
try with lo, 10.10.1.225 

There are know problems with interface detection on some OS-ses.. ( like ubuntu
12.04 )
Now i only work ( almost only ) with debian, and im avoiding this by setting ip
and not interface name.
so i dont know if centos also has this problem, but its one thing you can try
also.


Greetz, 

Louis
>-----Oorspronkelijk bericht-----
>Van: smblist at rednsx.org [mailto:samba-bounces at lists.samba.org] 
>Namens Sketch
>Verzonden: donderdag 30 april 2015 16:42
>Aan: samba
>Onderwerp: Re: [Samba] Cannot authenticate the administrator account
>
>On Thu, 30 Apr 2015, Mike wrote:
>
>> Everything works with the provisioning now except for kerberos.
>>
>> [root at dc1 ~]# kinit administrator at INTERNAL.EXAMPLE.COM
>> Password for administrator at INTERNAL.EXAMPLE.COM:
>> kinit: Preauthentication failed while getting initial credentials
>
>In my experience, preauthentication failed typically means you 
>mistyped 
>your password. :)
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Greetings, L.P.H. van Belle!
> yes,, change the password of the administrator.  ;-) 
> and if that does not work, an extra tip, worth a try. 
> in smb.conf 
>>        interfaces = lo, eno1
> try with lo, 10.10.1.225 
> There are know problems with interface detection on some OS-ses.. ( like
ubuntu 12.04 )
> Now i only work ( almost only ) with debian, and im avoiding this by
setting ip and not interface name.
> so i dont know if centos also has this problem, but its one thing you can
try also.
I'm going as far as setting up the network address (i.e. 10.10.1.0/24) so
that
I can use the same config file on all member servers.


-- 
With best regards,
Andrey Repin
Friday, May 1, 2015 02:07:40

Sorry for my terrible english...