[Samba] Cannot authenticate the administrator account

Mike 1100100 at gmail.com
Thu Apr 30 08:35:08 MDT 2015 

SUCCESS.........up to the point of kerberos tickets.
((What a difference a night's sleep can do for logic neurons.))

Everything works with the provisioning now except for kerberos.
The setup follows and ends with the kinit, klist, and kvno errors/failures:

[root at dc1 ~]# hostname -f
dc1.internal.example.com
[root at dc1 ~]# hostname -s
dc1
[root at dc1 ~]# hostname -d
internal.example.com
[root at dc1 ~]# hostnamectl status
   Static hostname: dc1.internal.example.com
         Icon name: computer-server
           Chassis: server
        Machine ID: 57ccaldjfre9tuq34uadl5fjgq9823uadog
           Boot ID: f4c1eqa9e8rt709q23y849tyqghlkqdhfg9
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-229.1.2.el7.x86_64
      Architecture: x86_64
[root at dc1 ~]# cat /etc/resolv.conf
domain internal.example.com
search internal.example.com
nameserver 10.10.1.225

[root at dc1 ~]# cat /etc/hosts
127.0.0.1       dc1.internal.example.com    dc1
127.0.0.1       localhost
10.10.1.225     dc1.internal.example.com    dc1

[root at dc1 ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = INTERNAL
        realm = INTERNAL.EXAMPLE.COM
        netbios name = dc1
        interfaces = lo, eno1
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = 75.75.76.76
        idmap_ldb:use rfc2307 = yes


[root at dc1 ~]# smbclient //internal.example.com/netlogon -UAdministrator -c
'ls'
Enter Administrator's password:
Domain=[INTERNAL] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
  .                                   D        0  Thu Apr 30 09:36:14 2015
  ..                                  D        0  Thu Apr 30 09:36:20 2015

                51175 blocks of size 1048576. 48360 blocks available

[root at dc1 ~]# host -t SRV _ldap._tcp.internal.example.com.
_ldap._tcp.internal.example.com has SRV record 0 100 389
dc1.internal.example.com.
[root at dc1 ~]# host -t SRV _kerberos._udp.internal.example.com.
_kerberos._udp.internal.example.com has SRV record 0 100 88
dc1.internal.example.com.
[root at dc1 ~]# host -t A dc1.internal.example.com.
dc1.internal.example.com has address 10.10.1.225
[root at dc1 ~]#

[root at dc1 ~]# kinit administrator at INTERNAL.EXAMPLE.COM
Password for administrator at INTERNAL.EXAMPLE.COM:
kinit: Preauthentication failed while getting initial credentials

[root at dc1 ~]# cat /etc/krb5.conf
[libdefaults]
        default_realm = INTERNAL.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
[root at dc1 ~]# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
[root at dc1 ~]#

[root at dc1 ~]# kvno administrator at INTERNAL.EXAMPLE.COM
kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting client
principal name
[root at dc1 ~]#

More information about the samba mailing list