samba - Aug 2018 - samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]

Hello,

my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9)
connected to an AD with one Windows DC and one Samba DC does not renew
the Kerberos ticket after 10 hours and I need to rejoin the domain.:(
Another server (runs as print server with the same version) does not
have this problem.

Aug 10 20:03:37 bonn winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE
failed: Preauthentication failed
Aug 10 20:04:26 bonn winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE
failed: Preauthentication failed
Aug 11 06:15:02 bonn winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE
failed: Preauthentication failed
Aug 11 06:25:02 bonn winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE
failed: Preauthentication failed

The configuration files:

# ls -l /etc/krb*
-rw-r--r-- 1 root root  142 Aug  7 12:25 /etc/krb5.conf
-rw------- 1 root root 4012 Aug 11 08:02 /etc/krb5.keytab

krb5.keytab timestamp is from the last manual join.

# cat /etc/krb5.conf 
[libdefaults]
        default_realm = DOMAIN.DE

        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        forwardable = yes

smb.conf
[global]
   netbios name = BONN
   workgroup = BFDI
   security = ADS
   realm = DOMAIN.DE

   log level = 2 smb:4 winbind:6

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config DOMAIN:backend = ad
   idmap config DOMAIN:schema_mode = rfc2307
   idmap config DOMAIN:range = 500-40000
   idmap_ldb use:rfc2307 = Yes
   winbind nss info = rfc2307
   winbind use default domain = yes
   winbind max clients = 300
   winbind refresh tickets = Yes
   template homedir = /srv/samba/users/%U
   template shell = /bin/bash
#   username map = /etc/samba/smbusermap

   wins server = 10.1.1.72
   dns proxy = yes

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   server min protocol = SMB2
...
Then the shares follow

The logfile when it starts that the user cannot login again.

[2018/08/11 06:13:00.606138,  4]
../source3/winbindd/winbindd_dual.c:1387(child_handler)
  child daemon request 20
[2018/08/11 06:13:00.606203,  3]
../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
  [14695]: list trusted domains
[2018/08/11 06:13:00.606226,  3]
../source3/winbindd/winbindd_ads.c:1456(trusted_domains)
  ads: trusted_domains
[2018/08/11 06:13:00.607927,  4]
../source3/winbindd/winbindd_dual.c:1395(child_handler)
  Finished processing child request 20
[2018/08/11 06:15:01.669552,  4]
../source3/winbindd/winbindd_dual.c:1387(child_handler)
  child daemon request 59
[2018/08/11 06:15:01.669624,  3]
../source3/winbindd/winbindd_ads.c:1392(sequence_number)
  ads: fetch sequence_number for BFDI
[2018/08/11 06:15:02.481002,  0]
../source3/libads/kerberos_util.c:74(ads_kinit_password)
  kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
[2018/08/11 06:15:02.481487,  1]
../source3/winbindd/winbindd_ads.c:135(ads_cached_connection_connect)
  ads_connect for domain DOMAIN failed: Preauthentication failed
[2018/08/11 06:15:02.482231,  4]
../source3/winbindd/winbindd_dual.c:1395(child_handler)
  Finished processing child request 59
[2018/08/11 06:18:00.611050,  4]
../source3/winbindd/winbindd_dual.c:1387(child_handler)
  child daemon request 20

# net ads join -U Administrator
...

# wbinfo -P
checking the NETLOGON dc connection to "dc-win.domain.de" succeeded

# net ads testjoin
Join is OK

# net ads info
LDAP server: 10.1.1.71
LDAP server name: dc-win.domain.de
Realm: DOMAIN.DE
Bind Path: dc=DOMAIN,dc=DE
LDAP port: 389
Server time: Sa, 11 Aug 2018 14:24:02 CEST
KDC server: 10.1.1.71
Server time offset: 0

Sadly I have no idea what could be the problem.
I did a "net ads leave" and join but then 10 hours later the problem
is
there again.

Thanks alot for any help.

-- 
Regards

        Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180811/f8bbe517/signature.sig>

On Sat, 11 Aug 2018 14:56:46 +0200
Noël Köthe via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9)
> connected to an AD with one Windows DC and one Samba DC does not renew
> the Kerberos ticket after 10 hours and I need to rejoin the domain.:(
> Another server (runs as print server with the same version) does not
> have this problem.
> 
> Aug 10 20:03:37 bonn winbindd[14698]:   kerberos_kinit_password
> BONN$@DOMAIN.DE failed: Preauthentication failed Aug 10 20:04:26 bonn
> winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE failed:
> Preauthentication failed Aug 11 06:15:02 bonn winbindd[14698]:
> kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication
> failed Aug 11 06:25:02 bonn winbindd[14698]:
> kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication
> failed
> 
> The configuration files:
> 
> # ls -l /etc/krb*
> -rw-r--r-- 1 root root  142 Aug  7 12:25 /etc/krb5.conf
> -rw------- 1 root root 4012 Aug 11 08:02 /etc/krb5.keytab
> 
> krb5.keytab timestamp is from the last manual join.
> 
> # cat /etc/krb5.conf 
> [libdefaults]
>         default_realm = DOMAIN.DE
> 
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         ticket_lifetime = 24h
>         forwardable = yes
> 
> smb.conf
> [global]
>    netbios name = BONN
>    workgroup = BFDI
>    security = ADS
>    realm = DOMAIN.DE
> 
>    log level = 2 smb:4 winbind:6
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config DOMAIN:backend = ad
>    idmap config DOMAIN:schema_mode = rfc2307
>    idmap config DOMAIN:range = 500-40000
Is 'DOMAIN' a typo ? or did you not bother 'sanitising'
'BFDI' above ?
>    idmap_ldb use:rfc2307 = Yes
Why have you got a line meant for a Samba AD DC in your Unix domain
member smb.conf ?
>    winbind nss info = rfc2307
>    winbind use default domain = yes
>    winbind max clients = 300
>    winbind refresh tickets = Yes
>    template homedir = /srv/samba/users/%U
>    template shell = /bin/bash
> #   username map = /etc/samba/smbusermap
> 
>    wins server = 10.1.1.72
>    dns proxy = yes
You do not need the above two lines.
> 
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    server min protocol = SMB2
> ...
> Then the shares follow
> 
> The logfile when it starts that the user cannot login again.
> 
> [2018/08/11 06:13:00.606138,
> 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child
> daemon request 20 [2018/08/11 06:13:00.606203,
> 3]
../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
> [14695]: list trusted domains [2018/08/11 06:13:00.606226,
> 3] ../source3/winbindd/winbindd_ads.c:1456(trusted_domains) ads:
> trusted_domains [2018/08/11 06:13:00.607927,
> 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished
> processing child request 20 [2018/08/11 06:15:01.669552,
> 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child
> daemon request 59 [2018/08/11 06:15:01.669624,
> 3] ../source3/winbindd/winbindd_ads.c:1392(sequence_number) ads:
> fetch sequence_number for BFDI [2018/08/11 06:15:02.481002,
> 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
> kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication
> failed [2018/08/11 06:15:02.481487,
> 1] ../source3/winbindd/winbindd_ads.c:135(ads_cached_connection_connect)
> ads_connect for domain DOMAIN failed: Preauthentication failed
There is that domain 'DOMAIN' again, is that a clue ??
> [2018/08/11 06:15:02.482231,
> 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished
> processing child request 59 [2018/08/11 06:18:00.611050,
> 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child
> daemon request 20
> 
> # net ads join -U Administrator
> ...
> 
> # wbinfo -P
> checking the NETLOGON dc connection to "dc-win.domain.de"
succeeded
> 
> # net ads testjoin
> Join is OK
> 
> # net ads info
> LDAP server: 10.1.1.71
> LDAP server name: dc-win.domain.de
> Realm: DOMAIN.DE
> Bind Path: dc=DOMAIN,dc=DE
> LDAP port: 389
> Server time: Sa, 11 Aug 2018 14:24:02 CEST
> KDC server: 10.1.1.71
> Server time offset: 0
> 
> Sadly I have no idea what could be the problem.
> I did a "net ads leave" and join but then 10 hours later the
problem
> is there again.
This is undoubtedly a Kerberos problem, but apart for the slight
problems I mentioned above, there doesn't seem to be much wrong.

You could check the time between the Client and DC, also check that the
clients first nameserver is the DC.

If it is a Samba problem then you have little or no chance of getting
it fixed, your version of Samba is EOL as far as Samba is concerned.
You could consider using Louis Van Belle's repo from here:

http://apt.van-belle.nl/

This will get you a much more recent Samba version.

Rowland
 
> 
> Thanks alot for any help.
>

Hello Rowland,

Am Samstag, den 11.08.2018, 14:55 +0100 schrieb Rowland Penny via
samba:
> >    idmap config DOMAIN:backend = ad
> >    idmap config DOMAIN:schema_mode = rfc2307
> >    idmap config DOMAIN:range = 500-40000
> 
> Is 'DOMAIN' a typo ? or did you not bother 'sanitising'
'BFDI' above ?
I overlooked the workgroup entry when "sanitising". sorry for
confusing.
> >    idmap_ldb use:rfc2307 = Yes
> 
> Why have you got a line meant for a Samba AD DC in your Unix domain
> member smb.conf ?
Then it is not intended.
> >    wins server = 10.1.1.72
> >    dns proxy = yes
> 
> You do not need the above two lines.
Thank you for the hint.
> > Sadly I have no idea what could be the problem.
> > I did a "net ads leave" and join but then 10 hours later the
problem
> > is there again.
> 
> This is undoubtedly a Kerberos problem, but apart for the slight
> problems I mentioned above, there doesn't seem to be much wrong.
OK. Thank you for this verification.
> You could check the time between the Client and DC, also check that the
> clients first nameserver is the DC.
I did this an they all run NTP and the clocks are accurate.
> If it is a Samba problem then you have little or no chance of getting
> it fixed, your version of Samba is EOL as far as Samba is concerned.
> You could consider using Louis Van Belle's repo from here:
> 
> http://apt.van-belle.nl/
> 
> This will get you a much more recent Samba version.
Thanks again. I will upgrade the system and samba.

-- 
Regards

        Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180811/eca893e8/signature.sig>