samba - Aug 2018 - [solved with upgrade] Re: samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]

Hello Rowland,

Am Samstag, den 11.08.2018, 14:55 +0100 schrieb Rowland Penny via
samba:
> >    idmap config DOMAIN:backend = ad
> >    idmap config DOMAIN:schema_mode = rfc2307
> >    idmap config DOMAIN:range = 500-40000
> 
> Is 'DOMAIN' a typo ? or did you not bother 'sanitising'
'BFDI' above ?
I overlooked the workgroup entry when "sanitising". sorry for
confusing.
> >    idmap_ldb use:rfc2307 = Yes
> 
> Why have you got a line meant for a Samba AD DC in your Unix domain
> member smb.conf ?
Then it is not intended.
> >    wins server = 10.1.1.72
> >    dns proxy = yes
> 
> You do not need the above two lines.
Thank you for the hint.
> > Sadly I have no idea what could be the problem.
> > I did a "net ads leave" and join but then 10 hours later the
problem
> > is there again.
> 
> This is undoubtedly a Kerberos problem, but apart for the slight
> problems I mentioned above, there doesn't seem to be much wrong.
OK. Thank you for this verification.
> You could check the time between the Client and DC, also check that the
> clients first nameserver is the DC.
I did this an they all run NTP and the clocks are accurate.
> If it is a Samba problem then you have little or no chance of getting
> it fixed, your version of Samba is EOL as far as Samba is concerned.
> You could consider using Louis Van Belle's repo from here:
> 
> http://apt.van-belle.nl/
> 
> This will get you a much more recent Samba version.
Thanks again. I will upgrade the system and samba.

-- 
Regards

        Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180811/eca893e8/signature.sig>

Hello,

Am Samstag, den 11.08.2018, 16:30 +0200 schrieb Noël Köthe via samba:
> > > I did a "net ads leave" and join but then 10 hours
later the problem
> > > is there again.
> > 
> > This is undoubtedly a Kerberos problem, but apart for the slight
> > problems I mentioned above, there doesn't seem to be much wrong.
> > If it is a Samba problem then you have little or no chance of getting
> > it fixed, your version of Samba is EOL as far as Samba is concerned.
> > You could consider using Louis Van Belle's repo from here:
> > 
> > http://apt.van-belle.nl/
> > 
> > This will get you a much more recent Samba version.
> 
> Thanks again. I will upgrade the system and samba.
After the upgrade to Debian 9 stretch with samba 2:4.5.12+dfsg-2+deb9u2 
the system is running as expected and the kerberos ticket(s) is/are
renewing themselves.:)

-- 
Regards

        Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180813/fe6edbf2/signature.sig>

On Mon, 13 Aug 2018 12:30:25 +0200
Noël Köthe <noel.koethe at credativ.de> wrote:
> Hello,
> 
> Am Samstag, den 11.08.2018, 16:30 +0200 schrieb Noël Köthe via samba:
> 
> > > > I did a "net ads leave" and join but then 10 hours
later the
> > > > problem is there again.
> > > 
> > > This is undoubtedly a Kerberos problem, but apart for the slight
> > > problems I mentioned above, there doesn't seem to be much
wrong.
> 
> > > If it is a Samba problem then you have little or no chance of
> > > getting it fixed, your version of Samba is EOL as far as Samba is
> > > concerned. You could consider using Louis Van Belle's repo
from
> > > here:
> > > 
> > > http://apt.van-belle.nl/
> > > 
> > > This will get you a much more recent Samba version.
> > 
> > Thanks again. I will upgrade the system and samba.
> 
> After the upgrade to Debian 9 stretch with samba
> 2:4.5.12+dfsg-2+deb9u2 the system is running as expected and the
> kerberos ticket(s) is/are renewing themselves.:)
> 
Glad you have fixed your problem, but you are still using a Samba EOL
version. The Samba supported versions are 4.6.x, 4.7.x and 4.8.x, but
4.9.0 will shortly be released, at which point 4.6.x will go EOL.

Rowland