Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] kerberos_kinit_password failed: Preauthentication failed
6,432 views
Skip to first unread message
Carlos A. P. Cunha via samba
Jan 8, 2017, 1:50:02 PM1/8/17
to
Hello!
I am having these messages in syslog
Kerberos_kinit_password SERVER$@<MY-DOMAIN> failed: Preauthentication failed
With this, my winbind is not working, so I need to restart winbind cache
(net cache flush), this is happening every 24 hours.
Any idea ?
Server:
Ubuntu 14.04.3 LTS
Version 4.4.4
Client:
Ubuntu 16.04.1 LTS
Version 4.3.11-Ubuntu
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am having these messages in syslog
Kerberos_kinit_password SERVER$@<MY-DOMAIN> failed: Preauthentication failed
With this, my winbind is not working, so I need to restart winbind cache
(net cache flush), this is happening every 24 hours.
Any idea ?
Server:
Ubuntu 14.04.3 LTS
Version 4.4.4
Client:
Ubuntu 16.04.1 LTS
Version 4.3.11-Ubuntu
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
Jan 8, 2017, 2:20:02 PM1/8/17
to
On Sun, 8 Jan 2017 16:38:37 -0200
"Carlos A. P. Cunha via samba" <sa...@lists.samba.org> wrote:
> Hello!
> I am having these messages in syslog
>
> Kerberos_kinit_password SERVER$@<MY-DOMAIN> failed: Preauthentication
> failed
>
> With this, my winbind is not working, so I need to restart winbind
> cache (net cache flush), this is happening every 24 hours.
>
> Any idea ?
>
> Server:
> Ubuntu 14.04.3 LTS
> Version 4.4.4
>
> Client:
> Ubuntu 16.04.1 LTS
> Version 4.3.11-Ubuntu
>
>
>
> Thanks
>
>
Can you post your smb.conf files
"Carlos A. P. Cunha via samba" <sa...@lists.samba.org> wrote:
> Hello!
> I am having these messages in syslog
>
> Kerberos_kinit_password SERVER$@<MY-DOMAIN> failed: Preauthentication
> failed
>
> With this, my winbind is not working, so I need to restart winbind
> cache (net cache flush), this is happening every 24 hours.
>
> Any idea ?
>
> Server:
> Ubuntu 14.04.3 LTS
> Version 4.4.4
>
> Client:
> Ubuntu 16.04.1 LTS
> Version 4.3.11-Ubuntu
>
>
>
> Thanks
>
>
Rowland
Carlos A. P. Cunha via samba
Jan 8, 2017, 5:10:02 PM1/8/17
to
Hello!
My smb.conf
[global]
workgroup = <DOMAIN>
realm = <SUBDOMAIN.DOMAIN.COM.BR>
security = ADS
idmap config * : backend = rid
idmap config * : range = 100000-999999
client schannel = no
allow trusted domains = yes
winbind use default domain = yes
winbind refresh tickets = Yes
winbind offline logon = no
winbind cache time = 60
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
.....
[SHARE]
.......
Thanks
My smb.conf
[global]
workgroup = <DOMAIN>
realm = <SUBDOMAIN.DOMAIN.COM.BR>
security = ADS
idmap config * : backend = rid
idmap config * : range = 100000-999999
client schannel = no
allow trusted domains = yes
winbind use default domain = yes
winbind refresh tickets = Yes
winbind offline logon = no
winbind cache time = 60
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
.....
[SHARE]
.......
Thanks
Rowland Penny via samba
Jan 8, 2017, 5:40:03 PM1/8/17
to
On Sun, 8 Jan 2017 20:04:41 -0200
"Carlos A. P. Cunha" <carlos...@gmail.com> wrote:
> Hello!
>
> My smb.conf
>
> [global]
> workgroup = <DOMAIN>
> realm = <SUBDOMAIN.DOMAIN.COM.BR>
>
> security = ADS
> idmap config * : backend = rid
> idmap config * : range = 100000-999999
>
> client schannel = no
> allow trusted domains = yes
> winbind use default domain = yes
> winbind refresh tickets = Yes
> winbind offline logon = no
> winbind cache time = 60
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> template homedir = /home/%U
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
OK, are you using sssd ?, If you are this isn't a Samba problem, or
"Carlos A. P. Cunha" <carlos...@gmail.com> wrote:
> Hello!
>
> My smb.conf
>
> [global]
> workgroup = <DOMAIN>
> realm = <SUBDOMAIN.DOMAIN.COM.BR>
>
> security = ADS
> idmap config * : backend = rid
> idmap config * : range = 100000-999999
>
> client schannel = no
> allow trusted domains = yes
> winbind use default domain = yes
> winbind refresh tickets = Yes
> winbind offline logon = no
> winbind cache time = 60
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> template homedir = /home/%U
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
are you trying to run the Samba AD DC as a subdomain of another
domain ? If you are, sorry but it doesn't (yet) work.
Carlos A. P. Cunha via samba
Jan 9, 2017, 6:10:02 AM1/9/17
to
Hello!
I do not use sssd use winbind.
When I mentioned in the lines workgroup and realm, they are like this
(for example)
Workgroup = INTRNAL
Realm = INTERNAL.TESTE.COM.BR
I do not know if that was what caused the confusion ....
Thanks
I do not use sssd use winbind.
When I mentioned in the lines workgroup and realm, they are like this
(for example)
Workgroup = INTRNAL
Realm = INTERNAL.TESTE.COM.BR
I do not know if that was what caused the confusion ....
Thanks
Rowland Penny via samba
Jan 9, 2017, 6:30:03 AM1/9/17
to
On Mon, 9 Jan 2017 08:59:40 -0200
use the same thing everywhere ;-)
Your 'idmap config' set up is entirely wrong, you should use 'tdb' for
the '*' domain and you should also have a separate range for the
'INTERNAL' domain
i.e. you should have lines similar to these:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config INTERNAL : backend = rid
idmap config INTERNAL : range = 10000-999999
> I do not use sssd use winbind.
> When I mentioned in the lines workgroup and realm, they are like this
> (for example)
>
> Workgroup = INTRNAL
> Realm = INTERNAL.TESTE.COM.BR
>
> I do not know if that was what caused the confusion ....
>
Yes it was, if you are going to sanitize smb.conf (or anything) please
> When I mentioned in the lines workgroup and realm, they are like this
> (for example)
>
> Workgroup = INTRNAL
> Realm = INTERNAL.TESTE.COM.BR
>
> I do not know if that was what caused the confusion ....
>
use the same thing everywhere ;-)
Your 'idmap config' set up is entirely wrong, you should use 'tdb' for
the '*' domain and you should also have a separate range for the
'INTERNAL' domain
i.e. you should have lines similar to these:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config INTERNAL : backend = rid
idmap config INTERNAL : range = 10000-999999
Carlos A. P. Cunha via samba
Jan 9, 2017, 7:30:03 AM1/9/17
to
Rowland
I'm guessing I was wrong, but my fear now is that I change this setting,
change my UID / GID, and stop sharing accesses.
Is this going to happen?
But by the very doubt, would that affect my problem, since it seems to
be something with kerberos?
Thanks
I'm guessing I was wrong, but my fear now is that I change this setting,
change my UID / GID, and stop sharing accesses.
Is this going to happen?
But by the very doubt, would that affect my problem, since it seems to
be something with kerberos?
Thanks
Rowland Penny via samba
Jan 9, 2017, 8:00:02 AM1/9/17
to
On Mon, 9 Jan 2017 10:17:48 -0200
"Carlos A. P. Cunha" <carlos...@gmail.com> wrote:
> Rowland
>
> I'm guessing I was wrong, but my fear now is that I change this
> setting, change my UID / GID, and stop sharing accesses.
> Is this going to happen?
It really should only affect the Well known SIDs etc, it shouldn't
"Carlos A. P. Cunha" <carlos...@gmail.com> wrote:
> Rowland
>
> I'm guessing I was wrong, but my fear now is that I change this
> setting, change my UID / GID, and stop sharing accesses.
> Is this going to happen?
affect your users & groups, but it might, this is no reason to not fix
it.
>
> But by the very doubt, would that affect my problem, since it seems
> to be something with kerberos?
set up correctly, this could be the cause of it not being renewed. The
only other difference between your smb.conf and mine, is that I also
have these two lines:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
Carlos A. P. Cunha via samba
Jan 9, 2017, 9:00:03 AM1/9/17
to
Okay, my /etc/krb5.conf
[libdefaults]
default_realm =INTERNAL.TESTE.COM.BR dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
-------------------
klist now
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@INTERNAL.TESTE.COM.BR
Valid starting Expires Service principal
06/01/2017 09:05:22 06/01/2017 19:05:22
krbtgt/INTERNAL.T...@INTERNAL.TESTE.COM.BR renew until
07/01/2017 09:05:21
06/01/2017 09:37:24 06/01/2017 19:05:22
ldap/server.internal.teste,com...@INTERNAL.TESTE.COM.BR
-------------------
I do not have this file /etc/krb5.keytab(find dont search)
Server was implemented in October / 2016 it got 2 months without
problems and this started last Thursday .... No changes on the DC server.
: - |
[libdefaults]
default_realm =INTERNAL.TESTE.COM.BR dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
-------------------
klist now
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@INTERNAL.TESTE.COM.BR
Valid starting Expires Service principal
06/01/2017 09:05:22 06/01/2017 19:05:22
krbtgt/INTERNAL.T...@INTERNAL.TESTE.COM.BR renew until
07/01/2017 09:05:21
06/01/2017 09:37:24 06/01/2017 19:05:22
ldap/server.internal.teste,com...@INTERNAL.TESTE.COM.BR
-------------------
I do not have this file /etc/krb5.keytab(find dont search)
Server was implemented in October / 2016 it got 2 months without
problems and this started last Thursday .... No changes on the DC server.
: - |
Carlos A. P. Cunha via samba
Jan 9, 2017, 9:00:03 AM1/9/17
to
Okay, my /etc/krb5.conf
[libdefaults]
default_realm = GRUPO.COTRIEL.COM.BR
-------------------
I do not have this file /etc/krb5.keytab(find dont search)
Server was implemented in October / 2016 it got 2 months without
problems and this started last Thursday .... No changes on the DC server.
: - |
[libdefaults]
default_realm = GRUPO.COTRIEL.COM.BR
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
-------------------
klist now
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@INTERNAL.TESTE.COM.BR
Valid starting Expires Service principal
06/01/2017 09:05:22 06/01/2017 19:05:22
krbtgt/INTERNAL.T...@INTERNAL.TESTE.COM.BR renew until
07/01/2017 09:05:21
06/01/2017 09:37:24 06/01/2017 19:05:22
ldap/server.INTERNA...@INTERNAL.TESTE.COM.BR
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
-------------------
klist now
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@INTERNAL.TESTE.COM.BR
Valid starting Expires Service principal
06/01/2017 09:05:22 06/01/2017 19:05:22
krbtgt/INTERNAL.T...@INTERNAL.TESTE.COM.BR renew until
07/01/2017 09:05:21
06/01/2017 09:37:24 06/01/2017 19:05:22
-------------------
I do not have this file /etc/krb5.keytab(find dont search)
Server was implemented in October / 2016 it got 2 months without
problems and this started last Thursday .... No changes on the DC server.
: - |
Rowland Penny via samba
Jan 9, 2017, 9:40:03 AM1/9/17
to
On Mon, 9 Jan 2017 11:53:27 -0200
"Carlos A. P. Cunha" <carlos...@gmail.com> wrote:
> Okay, my /etc/krb5.conf
>
> [libdefaults]
> default_realm =INTERNAL.TESTE.COM.BR
> dns_lookup_realm = false
> dns_lookup_kdc = true
You only need the top three lines
"Carlos A. P. Cunha" <carlos...@gmail.com> wrote:
> Okay, my /etc/krb5.conf
>
> [libdefaults]
> default_realm =INTERNAL.TESTE.COM.BR
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> -------------------
>
> klist now
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admini...@INTERNAL.TESTE.COM.BR
>
>
> Valid starting Expires Service principal
> 06/01/2017 09:05:22 06/01/2017 19:05:22
> krbtgt/INTERNAL.T...@INTERNAL.TESTE.COM.BR renew until
> 07/01/2017 09:05:21
> 06/01/2017 09:37:24 06/01/2017 19:05:22
> ldap/server.internal.teste,com...@INTERNAL.TESTE.COM.BR
>
>
> -------------------
>
> I do not have this file /etc/krb5.keytab(find dont search)
have them when you joined the domain member to the domain. it would be
created. Try 'net leave -Uadministrator', then 'net join
-Uadministrator', this should create it (after you have added the lines
to smb.conf). You will also have to stop the Samba binaries 'nmbd',
smbd' and 'winbindd'
Carlos A. P. Cunha via samba
Jan 9, 2017, 10:00:03 AM1/9/17
to
Hello!
Add 2 lines, and join (first leave) in domain ok.
I'll follow up if that solved my problem ...
By the hour Thanks.
Add 2 lines, and join (first leave) in domain ok.
I'll follow up if that solved my problem ...
By the hour Thanks.
Carlos A. P. Cunha via samba
Jan 9, 2017, 10:10:03 AM1/9/17
to
But I still have a question, why only now has this problem ....
Theses idea of what to give of almost 3 Months could cause this?
Theses idea of what to give of almost 3 Months could cause this?
Rowland Penny via samba
Jan 9, 2017, 10:30:03 AM1/9/17
to
On Mon, 9 Jan 2017 12:58:58 -0200
Have run any updates ?
I am not running your systems, so I cannot really say why it has
started being a problem. All I can do is point out potential areas of
concern, based on the way I set up my Samba domain members, where I have
never had the problem you are having.
> But I still have a question, why only now has this problem ....
> Theses idea of what to give of almost 3 Months could cause this?
>
>
Has something changed ?
> Theses idea of what to give of almost 3 Months could cause this?
>
>
Have run any updates ?
I am not running your systems, so I cannot really say why it has
started being a problem. All I can do is point out potential areas of
concern, based on the way I set up my Samba domain members, where I have
never had the problem you are having.
0 new messages