[Samba] ads_kinit_password failed: Preauthentication failed
Lachlan Pollock
lachlan.pollock at unimelb.edu.au
Fri Sep 1 07:38:01 GMT 2006
Hi,
I am have compiled samba 3.0.23b (MIT Kerberos 1.5.1) on Solaris 10.
I am unable to join the ads domain.
net ads testjoin returns the following output...
[2006/09/01 17:25:17, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password ARTEMISIA$@UNIMELB.EDU.AU failed: Preauthentication failed
[2006/09/01 17:25:17, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password ARTEMISIA$@UNIMELB.EDU.AU failed: Preauthentication failed
[2006/09/01 17:25:17, 0] utils/net_ads.c:ads_startup(281)
ads_connect: Preauthentication failed
Join to domain is not valid
I have what looks like a valid ticket in klist...
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <username>@UNIMELB.EDU.AU
Valid starting Expires Service principal
01/09/2006 14:00 02/09/2006 00:00 krbtgt/UNIMELB.EDU.AU at UNIMELB.EDU.AU
renew until 08/09/2006 14:00
01/09/2006 14:39 02/09/2006 00:00 cres-dc1$@UNIMELB.EDU.AU
renew until 08/09/2006 14:00
01/09/2006 17:06 02/09/2006 00:00 dc25$@UNIMELB.EDU.AU
renew until 08/09/2006 14:00
My krb5.conf maps the realm as follows...
[libdefaults]
default_realm = UNIMELB.EDU.AU
# dns_lookup_realm = false
# dns_lookup_kdc = false
[realms]
UNIMELB.EDU.AU = {
kdc = adk1.unimelb.edu.au:88
kdc = adk2.unimelb.edu.au:88
default_domain = unimelb.edu.au
}
[domain_realm]
.unimelb.edu.au = UNIMELB.EDU.AU
unimelb.edu.au = UNIMELB.EDU.AU
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[kdc]
profile = /etc/krb5/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
and my smb.conf is...
[global]
workgroup = UNIMELB
server string = 'new potter'
netbios name = ARTEMISIA
hosts allow = 127. 128.250.
security = ADS
realm = UNIMELB.EDU.AU
local master = no
domain master = no
use kerberos keytab = yes
wins server = 128.250.144.64
password server = dc25.unimelb.edu.au
idmap uid = 1000-29999
idmap gid = 1000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/false
client use spnego = yes
My DNS domain is different from the AD domain.
The computer account is newly created and exists before I testjoin.
If I ignore the error and try to join the AD computer account becomes
disabled.
I have debug level 10 logs available.
Thanks in advance for any assistance.
Cheers
Lachlan
--
*************************************************************
Lachlan Pollock mailto:lachlan.pollock at unimelb.edu.au
Systems Administrator, ArtsIT, Faculty of Arts
University of Melbourne, Victoria 3010, AUSTRALIA
*************************************************************
More information about the samba
mailing list