samba - Jan 2017 - kerberos_kinit_password failed: Preauthentication failed

Rowland

I'm guessing I was wrong, but my fear now is that I change this setting, 
change my UID / GID, and stop sharing accesses.
Is this going to happen?

But by the very doubt, would that affect my problem, since it seems to 
be something with kerberos?

Thanks


Em 09-01-2017 09:16, Rowland Penny via samba escreveu:
> On Mon, 9 Jan 2017 08:59:40 -0200
> "Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote:
>
>> Hello!
>> I do not use sssd use winbind.
>> When I mentioned in the lines workgroup and realm, they are like this
>> (for example)
>>
>> Workgroup = INTRNAL
>> Realm = INTERNAL.TESTE.COM.BR
>>
>> I do not know if that was what caused the confusion ....
>>
> Yes it was, if you are going to sanitize smb.conf (or anything) please
> use the same thing everywhere ;-)
>
> Your 'idmap config' set up is entirely wrong, you should use
'tdb' for
> the '*' domain and you should also have a separate range for the
> 'INTERNAL' domain
> i.e. you should have lines similar to these:
>
>      idmap config *:backend = tdb
>      idmap config *:range = 2000-9999
>      idmap config INTERNAL : backend = rid
>      idmap config INTERNAL : range = 10000-999999
>
> Rowland
>   
>

On Mon, 9 Jan 2017 10:17:48 -0200
"Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote:
> Rowland
> 
> I'm guessing I was wrong, but my fear now is that I change this
> setting, change my UID / GID, and stop sharing accesses.
> Is this going to happen?
It really should only affect the Well known SIDs etc, it shouldn't
affect your users & groups, but it might, this is no reason to not fix
it.
> 
> But by the very doubt, would that affect my problem, since it seems
> to be something with kerberos?
It seems as if your kerberos ticket is expiring, so if winbind isn't
set up correctly, this could be the cause of it not being renewed. The
only other difference between your smb.conf and mine, is that I also
have these two lines:

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

Rowland

Okay, my /etc/krb5.conf

[libdefaults]
         default_realm = GRUPO.COTRIEL.COM.BR
         dns_lookup_realm = false
         dns_lookup_kdc = true
         ticket_lifetime = 24h
         forwardable = yes

-------------------

klist now

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at INTERNAL.TESTE.COM.BR


Valid starting       Expires              Service principal
06/01/2017 09:05:22  06/01/2017 19:05:22  
krbtgt/INTERNAL.TESTE.COM.BR at INTERNAL.TESTE.COM.BR renew until 
07/01/2017 09:05:21
06/01/2017 09:37:24  06/01/2017 19:05:22  
ldap/server.INTERNAL.TESTE.COM.BR at INTERNAL.TESTE.COM.BR


-------------------

I do not have this file /etc/krb5.keytab(find dont search)


Server was implemented in October / 2016 it got 2 months without 
problems and this started last Thursday .... No changes on the DC server.
: - |



Em 09-01-2017 10:56, Rowland Penny via samba escreveu:
> On Mon, 9 Jan 2017 10:17:48 -0200
> "Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote:
>
>> Rowland
>>
>> I'm guessing I was wrong, but my fear now is that I change this
>> setting, change my UID / GID, and stop sharing accesses.
>> Is this going to happen?
> It really should only affect the Well known SIDs etc, it shouldn't
> affect your users & groups, but it might, this is no reason to not fix
> it.
>
>> But by the very doubt, would that affect my problem, since it seems
>> to be something with kerberos?
> It seems as if your kerberos ticket is expiring, so if winbind isn't
> set up correctly, this could be the cause of it not being renewed. The
> only other difference between your smb.conf and mine, is that I also
> have these two lines:
>
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
>
> Rowland
>   
>
>
>

Okay, my /etc/krb5.conf

[libdefaults]
         default_realm =INTERNAL.TESTE.COM.BR dns_lookup_realm = false
         dns_lookup_kdc = true
         ticket_lifetime = 24h
         forwardable = yes

-------------------

klist now

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at INTERNAL.TESTE.COM.BR


Valid starting       Expires              Service principal
06/01/2017 09:05:22  06/01/2017 19:05:22  
krbtgt/INTERNAL.TESTE.COM.BR at INTERNAL.TESTE.COM.BR renew until 
07/01/2017 09:05:21
06/01/2017 09:37:24  06/01/2017 19:05:22  
ldap/server.internal.teste,com.br at INTERNAL.TESTE.COM.BR


-------------------

I do not have this file /etc/krb5.keytab(find dont search)


Server was implemented in October / 2016 it got 2 months without 
problems and this started last Thursday .... No changes on the DC server.
: - |



Em 09-01-2017 10:56, Rowland Penny via samba escreveu:
> On Mon, 9 Jan 2017 10:17:48 -0200
> "Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote:
>
>> Rowland
>>
>> I'm guessing I was wrong, but my fear now is that I change this
>> setting, change my UID / GID, and stop sharing accesses.
>> Is this going to happen?
> It really should only affect the Well known SIDs etc, it shouldn't
> affect your users & groups, but it might, this is no reason to not fix
> it.
>
>> But by the very doubt, would that affect my problem, since it seems
>> to be something with kerberos?
> It seems as if your kerberos ticket is expiring, so if winbind isn't
> set up correctly, this could be the cause of it not being renewed. The
> only other difference between your smb.conf and mine, is that I also
> have these two lines:
>
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
>
> Rowland
>   
>
>
>