Dear All, I have recently setup a completely new AD domain on my Linux server, running Samba 4.8.3. From the server, I can authenticate via kerberos and get users and groups through winbind etc. When I try to join a freshly installed Mac running macOS 10.13.6, I receive the error: "Unable to add server. Authentication server failed to completed the requested operation. (5103)" The Mac has a local IP address of 192.168.0.107, and its hostname is set to potterbook. On the Mac, no log entries at all occur to indicate what this might be. On the Linux machine, the only logs that seem to get written are in /var/log/samba/mit_kdc.log: "Jul 27 23:53:09 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: NEEDED_PREAUTH: Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN, Additional pre-authentication required Jul 27 23:53:09 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731989, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN Jul 27 23:53:09 pathfinder krb5kdc[6597](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731989, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for ldap/pathfinder.potternet.lan at POTTERNET.LAN Jul 27 23:53:09 pathfinder krb5kdc[6597](info): closing down fd 20 Jul 27 23:53:09 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: NEEDED_PREAUTH: Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN, Additional pre-authentication required Jul 27 23:53:09 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731989, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN Jul 27 23:53:09 pathfinder krb5kdc[6597](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731989, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for ldap/pathfinder.potternet.lan at POTTERNET.LAN Jul 27 23:53:09 pathfinder krb5kdc[6597](info): closing down fd 20 Jul 27 23:53:10 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: NEEDED_PREAUTH: Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN, Additional pre-authentication required Jul 27 23:53:10 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731990, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN Jul 27 23:53:10 pathfinder krb5kdc[6597](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731990, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for ldap/pathfinder.potternet.lan at POTTERNET.LAN Jul 27 23:53:10 pathfinder krb5kdc[6597](info): closing down fd 20 Jul 27 23:53:10 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: NEEDED_PREAUTH: Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN, Additional pre-authentication required Jul 27 23:53:10 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731990, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN Jul 27 23:53:10 pathfinder krb5kdc[6597](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731990, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for ldap/pathfinder.potternet.lan at POTTERNET.LAN Jul 27 23:53:10 pathfinder krb5kdc[6597](info): closing down fd 20 Jul 27 23:53:11 pathfinder krb5kdc[6597](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731990, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for kadmin/changepw at POTTERNET.LAN Jul 27 23:53:11 pathfinder krb5kdc[6597](info): closing down fd 20" I would most appreciate any guidance on where I'm going wrong, I really need this to work. Happy to provide more detail if needed. Many thanks. Regards, Phil Potter
On Sat, 2018-07-28 at 00:10 +0100, Phillip Potter via samba wrote:> Dear All, > > I have recently setup a completely new AD domain on my Linux server, running Samba 4.8.3. From the server, I can authenticate via kerberos and get users and groups through winbind etc. When I try to join a freshly installed Mac running macOS 10.13.6, I receive the error: > "Unable to add server. Authentication server failed to completed the requested operation. (5103)" > > The Mac has a local IP address of 192.168.0.107, and its hostname is set to potterbook. > > On the Mac, no log entries at all occur to indicate what this might be. > > On the Linux machine, the only logs that seem to get written are in /var/log/samba/mit_kdc.log:Did you build Samba with MIT Kerberos support or use package so built? If not, then perhaps you have the wrong KDC started, just start Samba and it will handle the rest. If that isn't it, try re-building the AD DC without MIT Kerberos, we have some reports of issues in this area, and it would provide a point of comparison we can investigate. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Sat, Jul 28, 2018 at 11:40:26AM +1200, Andrew Bartlett wrote:> On Sat, 2018-07-28 at 00:10 +0100, Phillip Potter via samba wrote: > > Dear All, > > > > I have recently setup a completely new AD domain on my Linux server, running Samba 4.8.3. From the server, I can authenticate via kerberos and get users and groups through winbind etc. When I try to join a freshly installed Mac running macOS 10.13.6, I receive the error: > > "Unable to add server. Authentication server failed to completed the requested operation. (5103)" > > > > The Mac has a local IP address of 192.168.0.107, and its hostname is set to potterbook. > > > > On the Mac, no log entries at all occur to indicate what this might be. > > > > On the Linux machine, the only logs that seem to get written are in /var/log/samba/mit_kdc.log: > > Did you build Samba with MIT Kerberos support or use package so built? > If not, then perhaps you have the wrong KDC started, just start Samba > and it will handle the rest. > > If that isn't it, try re-building the AD DC without MIT Kerberos, we > have some reports of issues in this area, and it would provide a point > of comparison we can investigate. > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba >Dear Andrew, thanks for your reply. I just used the package from my distro, Fedora 28. Running an ldd and checking the package manager tells me that it is indeed built against MIT Kerberos. The KDC is already started by the samba systemd unit file, no other KDC is started erroneously. I will build samba myself without MIT Kerberos on a fresh VM with the same dependencies as soon as I am able (likely in the next day or two) and get back to you if it works. Regards, Phil Potter
On Sat, Jul 28, 2018 at 11:40:26AM +1200, Andrew Bartlett wrote:> On Sat, 2018-07-28 at 00:10 +0100, Phillip Potter via samba wrote: > > Dear All, > > > > I have recently setup a completely new AD domain on my Linux server, running Samba 4.8.3. From the server, I can authenticate via kerberos and get users and groups through winbind etc. When I try to join a freshly installed Mac running macOS 10.13.6, I receive the error: > > "Unable to add server. Authentication server failed to completed the requested operation. (5103)" > > > > The Mac has a local IP address of 192.168.0.107, and its hostname is set to potterbook. > > > > On the Mac, no log entries at all occur to indicate what this might be. > > > > On the Linux machine, the only logs that seem to get written are in /var/log/samba/mit_kdc.log: > > Did you build Samba with MIT Kerberos support or use package so built? > If not, then perhaps you have the wrong KDC started, just start Samba > and it will handle the rest. > > If that isn't it, try re-building the AD DC without MIT Kerberos, we > have some reports of issues in this area, and it would provide a point > of comparison we can investigate. > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba >Dear Andrew, I built Samba 4.8.3 from scratch on a fresh Fedora 28 VM, without MIT kerberos but keeping all other dependencies at the same version as with the packaged version, and I can confirm the Mac joins to a newly provisioned AD on it with no issues. Would you like me to provide logs for future reference? Regards, Phil Potter