Noël Köthe
2018-Aug-11 12:56 UTC
[Samba] samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
Hello, my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9) connected to an AD with one Windows DC and one Samba DC does not renew the Kerberos ticket after 10 hours and I need to rejoin the domain.:( Another server (runs as print server with the same version) does not have this problem. Aug 10 20:03:37 bonn winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed Aug 10 20:04:26 bonn winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed Aug 11 06:15:02 bonn winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed Aug 11 06:25:02 bonn winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed The configuration files: # ls -l /etc/krb* -rw-r--r-- 1 root root 142 Aug 7 12:25 /etc/krb5.conf -rw------- 1 root root 4012 Aug 11 08:02 /etc/krb5.keytab krb5.keytab timestamp is from the last manual join. # cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.DE dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes smb.conf [global] netbios name = BONN workgroup = BFDI security = ADS realm = DOMAIN.DE log level = 2 smb:4 winbind:6 idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 500-40000 idmap_ldb use:rfc2307 = Yes winbind nss info = rfc2307 winbind use default domain = yes winbind max clients = 300 winbind refresh tickets = Yes template homedir = /srv/samba/users/%U template shell = /bin/bash # username map = /etc/samba/smbusermap wins server = 10.1.1.72 dns proxy = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server min protocol = SMB2 ... Then the shares follow The logfile when it starts that the user cannot login again. [2018/08/11 06:13:00.606138, 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child daemon request 20 [2018/08/11 06:13:00.606203, 3] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) [14695]: list trusted domains [2018/08/11 06:13:00.606226, 3] ../source3/winbindd/winbindd_ads.c:1456(trusted_domains) ads: trusted_domains [2018/08/11 06:13:00.607927, 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished processing child request 20 [2018/08/11 06:15:01.669552, 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child daemon request 59 [2018/08/11 06:15:01.669624, 3] ../source3/winbindd/winbindd_ads.c:1392(sequence_number) ads: fetch sequence_number for BFDI [2018/08/11 06:15:02.481002, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password) kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed [2018/08/11 06:15:02.481487, 1] ../source3/winbindd/winbindd_ads.c:135(ads_cached_connection_connect) ads_connect for domain DOMAIN failed: Preauthentication failed [2018/08/11 06:15:02.482231, 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished processing child request 59 [2018/08/11 06:18:00.611050, 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child daemon request 20 # net ads join -U Administrator ... # wbinfo -P checking the NETLOGON dc connection to "dc-win.domain.de" succeeded # net ads testjoin Join is OK # net ads info LDAP server: 10.1.1.71 LDAP server name: dc-win.domain.de Realm: DOMAIN.DE Bind Path: dc=DOMAIN,dc=DE LDAP port: 389 Server time: Sa, 11 Aug 2018 14:24:02 CEST KDC server: 10.1.1.71 Server time offset: 0 Sadly I have no idea what could be the problem. I did a "net ads leave" and join but then 10 hours later the problem is there again. Thanks alot for any help. -- Regards Noël Köthe -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20180811/f8bbe517/signature.sig>
Rowland Penny
2018-Aug-11 13:55 UTC
[Samba] samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
On Sat, 11 Aug 2018 14:56:46 +0200 Noël Köthe via samba <samba at lists.samba.org> wrote:> Hello, > > my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9) > connected to an AD with one Windows DC and one Samba DC does not renew > the Kerberos ticket after 10 hours and I need to rejoin the domain.:( > Another server (runs as print server with the same version) does not > have this problem. > > Aug 10 20:03:37 bonn winbindd[14698]: kerberos_kinit_password > BONN$@DOMAIN.DE failed: Preauthentication failed Aug 10 20:04:26 bonn > winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: > Preauthentication failed Aug 11 06:15:02 bonn winbindd[14698]: > kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication > failed Aug 11 06:25:02 bonn winbindd[14698]: > kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication > failed > > The configuration files: > > # ls -l /etc/krb* > -rw-r--r-- 1 root root 142 Aug 7 12:25 /etc/krb5.conf > -rw------- 1 root root 4012 Aug 11 08:02 /etc/krb5.keytab > > krb5.keytab timestamp is from the last manual join. > > # cat /etc/krb5.conf > [libdefaults] > default_realm = DOMAIN.DE > > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > smb.conf > [global] > netbios name = BONN > workgroup = BFDI > security = ADS > realm = DOMAIN.DE > > log level = 2 smb:4 winbind:6 > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 500-40000Is 'DOMAIN' a typo ? or did you not bother 'sanitising' 'BFDI' above ?> idmap_ldb use:rfc2307 = YesWhy have you got a line meant for a Samba AD DC in your Unix domain member smb.conf ?> winbind nss info = rfc2307 > winbind use default domain = yes > winbind max clients = 300 > winbind refresh tickets = Yes > template homedir = /srv/samba/users/%U > template shell = /bin/bash > # username map = /etc/samba/smbusermap > > wins server = 10.1.1.72 > dns proxy = yesYou do not need the above two lines.> > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > server min protocol = SMB2 > ... > Then the shares follow > > The logfile when it starts that the user cannot login again. > > [2018/08/11 06:13:00.606138, > 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child > daemon request 20 [2018/08/11 06:13:00.606203, > 3] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) > [14695]: list trusted domains [2018/08/11 06:13:00.606226, > 3] ../source3/winbindd/winbindd_ads.c:1456(trusted_domains) ads: > trusted_domains [2018/08/11 06:13:00.607927, > 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished > processing child request 20 [2018/08/11 06:15:01.669552, > 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child > daemon request 59 [2018/08/11 06:15:01.669624, > 3] ../source3/winbindd/winbindd_ads.c:1392(sequence_number) ads: > fetch sequence_number for BFDI [2018/08/11 06:15:02.481002, > 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password) > kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication > failed [2018/08/11 06:15:02.481487, > 1] ../source3/winbindd/winbindd_ads.c:135(ads_cached_connection_connect) > ads_connect for domain DOMAIN failed: Preauthentication failedThere is that domain 'DOMAIN' again, is that a clue ??> [2018/08/11 06:15:02.482231, > 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished > processing child request 59 [2018/08/11 06:18:00.611050, > 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child > daemon request 20 > > # net ads join -U Administrator > ... > > # wbinfo -P > checking the NETLOGON dc connection to "dc-win.domain.de" succeeded > > # net ads testjoin > Join is OK > > # net ads info > LDAP server: 10.1.1.71 > LDAP server name: dc-win.domain.de > Realm: DOMAIN.DE > Bind Path: dc=DOMAIN,dc=DE > LDAP port: 389 > Server time: Sa, 11 Aug 2018 14:24:02 CEST > KDC server: 10.1.1.71 > Server time offset: 0 > > Sadly I have no idea what could be the problem. > I did a "net ads leave" and join but then 10 hours later the problem > is there again.This is undoubtedly a Kerberos problem, but apart for the slight problems I mentioned above, there doesn't seem to be much wrong. You could check the time between the Client and DC, also check that the clients first nameserver is the DC. If it is a Samba problem then you have little or no chance of getting it fixed, your version of Samba is EOL as far as Samba is concerned. You could consider using Louis Van Belle's repo from here: http://apt.van-belle.nl/ This will get you a much more recent Samba version. Rowland> > Thanks alot for any help. >
Noël Köthe
2018-Aug-11 14:30 UTC
[Samba] samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
Hello Rowland, Am Samstag, den 11.08.2018, 14:55 +0100 schrieb Rowland Penny via samba:> > idmap config DOMAIN:backend = ad > > idmap config DOMAIN:schema_mode = rfc2307 > > idmap config DOMAIN:range = 500-40000 > > Is 'DOMAIN' a typo ? or did you not bother 'sanitising' 'BFDI' above ?I overlooked the workgroup entry when "sanitising". sorry for confusing.> > idmap_ldb use:rfc2307 = Yes > > Why have you got a line meant for a Samba AD DC in your Unix domain > member smb.conf ?Then it is not intended.> > wins server = 10.1.1.72 > > dns proxy = yes > > You do not need the above two lines.Thank you for the hint.> > Sadly I have no idea what could be the problem. > > I did a "net ads leave" and join but then 10 hours later the problem > > is there again. > > This is undoubtedly a Kerberos problem, but apart for the slight > problems I mentioned above, there doesn't seem to be much wrong.OK. Thank you for this verification.> You could check the time between the Client and DC, also check that the > clients first nameserver is the DC.I did this an they all run NTP and the clocks are accurate.> If it is a Samba problem then you have little or no chance of getting > it fixed, your version of Samba is EOL as far as Samba is concerned. > You could consider using Louis Van Belle's repo from here: > > http://apt.van-belle.nl/ > > This will get you a much more recent Samba version.Thanks again. I will upgrade the system and samba. -- Regards Noël Köthe -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20180811/eca893e8/signature.sig>
Apparently Analagous Threads
- samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
- samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
- [solved with upgrade] Re: samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
- nsswitch/libnss_winbind.so.2
- nsswitch/libnss_winbind.so.2