ads_kinit_password failed: Preauthentication failed [Samba]

Prev: [Samba] ads_kinit_password failed: Preauthentication failed
Next: SAMBA TO AD MIGRATION

From: Gerald (Jerry) Carter on 1 Sep 2006 09:40

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aaron,

> Try these settings to help:
>
> client use spnego = no
> server signing = auto
> client signing = auto
>
> Let me know if it works.

"Preauth failed" indicates a bad machine password.
So this really wouldn't be affected by any SMB signing
settings. Why do you recommend disabling SPNEGO in
the client code?

My guess is that there are multiple DCs and we are
dealing with a period of inconsistency between DCs.

cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE+DeUIR7qMdg1EfYRArjnAKCnoKzXFU+1HzPe9XTURJlVJdW8MACdGE8z
+zysoR0I7y6KodzexUYHXB8=
=OhHH
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

From: Aaron Kincer on 1 Sep 2006 09:50

(forgot to reply all)

Gerald (Jerry) Carter wrote:
> Why do you recommend disabling SPNEGO in
> the client code?
>
>

Because of known and/or suspected compatibility issues with Windows 2003
Server SP1 and Windows 2000 Server security rollups.

http://kbase.redhat.com/faq/FAQ_85_5515.shtm
http://kbase.redhat.com/faq/FAQ_71_5787.shtm

Mind you this is just Red Hat's documented issues that may or may not
translate to other systems. I had to do it in order to get my Samba
server to complete authentication with an Active Directory domain
running on Windows 2003 Server SP1 in native mode. Your mileage may vary.

Aaron Kincer
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

From: Aaron Kincer on 1 Sep 2006 10:10

Jerry, not enough coffee yet. I see your point. Lachlan is having
trouble with the *Server* authenticating to the domain. I was talking
about *Client* authentication.

Lachlan, I had similar problems and also had to do these steps:

1) Delete the computer account for the server in Active Directory
2) Recreate the computer account for the server
3) Rejoin the domain

You could probably achieve the same with just resetting the computer
account.

Aaron Kincer

Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Aaron,
>
>
>> Try these settings to help:
>>
>> client use spnego = no
>> server signing = auto
>> client signing = auto
>>
>> Let me know if it works.
>>
>
> "Preauth failed" indicates a bad machine password.
> So this really wouldn't be affected by any SMB signing
> settings. Why do you recommend disabling SPNEGO in
> the client code?
>
> My guess is that there are multiple DCs and we are
> dealing with a period of inconsistency between DCs.
>
>
>
> cheers, jerry
> =====================================================================
> Samba ------- http://www.samba.org
> Centeris ----------- http://www.centeris.com
> "What man is a man who does not make the world better?" --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFE+DeUIR7qMdg1EfYRArjnAKCnoKzXFU+1HzPe9XTURJlVJdW8MACdGE8z
> +zysoR0I7y6KodzexUYHXB8=
> =OhHH
> -----END PGP SIGNATURE-----
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

From: Lachlan Pollock on 3 Sep 2006 21:00

Hi,

Thanks for the replies. I hope this reply ends in the right thread.
and I am sorry to Markus for hijacking your previous thread.

I have updated to version 3.0.23c, but the problem remains.

Thanks for the suggestions Aaron,
I am running ntp. The DC's are running something similar. We are
all synchronised off the same time servers.

Gerald (Jerry) Carter wrote...
>My guess is that there are multiple DCs and we are
>dealing with a period of inconsistency between DCs.

There are 7 DC's in the domain. Local DC's synchronise every 5 minutes,
but 4 of the DC's are on slower WAN links and only synchronise overnight.
(I am not sure what the collective noun for these things are)

My 'password server' host is the preferred DC.

Here is one attempt from net ads testjoin -d 10...

[2006/09/04 10:42:00, 6] libads/ldap.c:ads_find_dc(224)
ads_find_dc: looking for realm 'UNIMELB.EDU.AU'
[2006/09/04 10:42:00, 8] libsmb/namequery.c:get_sorted_dc_list(1551)
get_sorted_dc_list: attempting lookup using [ads]
[2006/09/04 10:42:00, 10] lib/gencache.c:gencache_get(312)
Cache entry with key = SAF/DOMAIN/UNIMELB.EDU.AU couldn't be found
[2006/09/04 10:42:00, 5] libsmb/namequery.c:saf_fetch(105)
saf_fetch: failed to find server for "UNIMELB.EDU.AU" domain
[2006/09/04 10:42:00, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", dc25.unimelb.edu.au"
[2006/09/04 10:42:00, 10] libsmb/namequery.c:internal_resolve_name(1132)
internal_resolve_name: looking up dc25.unimelb.edu.au#20
[2006/09/04 10:42:00, 10] lib/gencache.c:gencache_get(287)
Returning valid cache entry: key = NBT/DC25.UNIMELB.EDU.AU#20, value = 128.250.6.95:0, timeout = Mon Sep 4 10:52:34 2006
[2006/09/04 10:42:00, 5] libsmb/namecache.c:namecache_fetch(201)
name dc25.unimelb.edu.au#20 found.
[2006/09/04 10:42:00, 10] libsmb/namequery.c:remove_duplicate_addrs2(408)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2006/09/04 10:42:00, 4] libsmb/namequery.c:get_dc_list(1529)
get_dc_list: returning 1 ip addresses in an ordered list
[2006/09/04 10:42:00, 4] libsmb/namequery.c:get_dc_list(1530)
get_dc_list: 128.250.6.95:389
[2006/09/04 10:42:00, 5] libads/ldap.c:ads_try_connect(127)
ads_try_connect: sending CLDAP request to 128.250.6.95 (realm: UNIMELB.EDU.AU)[2006/09/04 10:42:00, 10] libsmb/namequery.c:saf_store(71)
saf_store: domain = [UNIMELB], server = [128.250.6.95], expire = [1157331420]
[2006/09/04 10:42:00, 10] lib/gencache.c:gencache_set(131)
Adding cache entry with key = SAF/DOMAIN/UNIMELB; value = 128.250.6.95 and timeout = Mon Sep 4 10:57:00 2006
(900 seconds ahead)
[2006/09/04 10:42:00, 3] libads/ldap.c:ads_connect(287)
Connected to LDAP server 128.250.6.95
[2006/09/04 10:42:00, 4] libads/ldap.c:ads_current_time(2262)
time offset is 0 seconds
[2006/09/04 10:42:00, 4] libads/sasl.c:ads_sasl_bind(468)
Found SASL mechanism GSS-SPNEGO
[2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/09/04 10:42:00, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name =dc25$@UNIMELB.EDU.AU
[2006/09/04 10:42:00, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2006/09/04 10:42:00, 10] libads/kerberos.c:kerberos_kinit_password_ext(89)
kerberos_kinit_password: using MEMORY:net_ads as ccache
[2006/09/04 10:42:00, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password ARTEMISIA$@UNIMELB.EDU.AU failed: Preauthentication failed
[2006/09/04 10:42:00, 0] utils/net_ads.c:ads_startup(281)
ads_connect: Preauthentication failed
Join to domain is not valid
[2006/09/04 10:42:00, 2] utils/net.c:main(988)
return code = -1

Cheers

Lachlan
--
*************************************************************
Lachlan Pollock mailto:lachlan.pollock at unimelb.edu.au
Systems Administrator, ArtsIT, Faculty of Arts
University of Melbourne, Victoria 3010, AUSTRALIA
*************************************************************
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

From: Lachlan on 5 Sep 2006 21:30

Just curious, why is this thread so broken?
What did I do wrong in my post?

Lachlan wrote:
>
> Hi,
>
> Thanks for the replies. I hope this reply ends in the right thread.
> and I am sorry to Markus for hijacking your previous thread.
>
> -- snip ---
>
>

--
View this message in context: http://www.nabble.com/ads_kinit_password-failed%3A-Preauthentication-failed-tf2202561.html#a6163445
Sent from the Samba - General forum at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

| Next | Last
Pages: 1 2
Prev: [Samba] ads_kinit_password failed: Preauthentication failed
Next: SAMBA TO AD MIGRATION