samba - Jan 2017 - kerberos_kinit_password failed: Preauthentication failed

Okay, my /etc/krb5.conf

[libdefaults]
         default_realm =INTERNAL.TESTE.COM.BR dns_lookup_realm = false
         dns_lookup_kdc = true
         ticket_lifetime = 24h
         forwardable = yes

-------------------

klist now

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at INTERNAL.TESTE.COM.BR


Valid starting       Expires              Service principal
06/01/2017 09:05:22  06/01/2017 19:05:22  
krbtgt/INTERNAL.TESTE.COM.BR at INTERNAL.TESTE.COM.BR renew until 
07/01/2017 09:05:21
06/01/2017 09:37:24  06/01/2017 19:05:22  
ldap/server.internal.teste,com.br at INTERNAL.TESTE.COM.BR


-------------------

I do not have this file /etc/krb5.keytab(find dont search)


Server was implemented in October / 2016 it got 2 months without 
problems and this started last Thursday .... No changes on the DC server.
: - |



Em 09-01-2017 10:56, Rowland Penny via samba escreveu:
> On Mon, 9 Jan 2017 10:17:48 -0200
> "Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote:
>
>> Rowland
>>
>> I'm guessing I was wrong, but my fear now is that I change this
>> setting, change my UID / GID, and stop sharing accesses.
>> Is this going to happen?
> It really should only affect the Well known SIDs etc, it shouldn't
> affect your users & groups, but it might, this is no reason to not fix
> it.
>
>> But by the very doubt, would that affect my problem, since it seems
>> to be something with kerberos?
> It seems as if your kerberos ticket is expiring, so if winbind isn't
> set up correctly, this could be the cause of it not being renewed. The
> only other difference between your smb.conf and mine, is that I also
> have these two lines:
>
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
>
> Rowland
>   
>
>
>

On Mon, 9 Jan 2017 11:53:27 -0200
"Carlos A. P. Cunha" <carlos.hollow at gmail.com> wrote:
> Okay, my /etc/krb5.conf
> 
> [libdefaults]
>          default_realm =INTERNAL.TESTE.COM.BR 
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
You only need the top three lines
>          ticket_lifetime = 24h
>          forwardable = yes
> 
> -------------------
> 
> klist now
> 
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at INTERNAL.TESTE.COM.BR
> 
> 
> Valid starting       Expires              Service principal
> 06/01/2017 09:05:22  06/01/2017 19:05:22  
> krbtgt/INTERNAL.TESTE.COM.BR at INTERNAL.TESTE.COM.BR renew until 
> 07/01/2017 09:05:21
> 06/01/2017 09:37:24  06/01/2017 19:05:22  
> ldap/server.internal.teste,com.br at INTERNAL.TESTE.COM.BR
>
That is the root/Administrator cache, the machine cache is in memory.
 
> 
> -------------------
> 
> I do not have this file /etc/krb5.keytab(find dont search)
That is because you do not have the two lines in smb.conf, if you did
have them when you joined the domain member to the domain. it would be
created. Try 'net leave -Uadministrator', then 'net join
-Uadministrator', this should create it (after you have added the lines
to smb.conf). You will also have to stop the Samba binaries 'nmbd',
smbd' and 'winbindd'

Rowland

Hello!

Add 2 lines, and join (first leave) in domain ok.
I'll follow up if that solved my problem ...
By the hour Thanks.



Em 09-01-2017 12:32, Rowland Penny via samba escreveu:
> That is because you do not have the two lines in smb.conf, if you did
> have them when you joined the domain member to the domain. it would be
> created. Try 'net leave -Uadministrator', then 'net join
> -Uadministrator', this should create it (after you have added the lines
> to smb.conf). You will also have to stop the Samba binaries 'nmbd',
> smbd' and 'winbindd'
>
> Rowland
>