kerberos_kinit_password Preauthentication failed

Herb Lewis hlewis at panasas.com
Thu Nov 13 22:12:29 GMT 2008 

OK I found where the problem was. If you specified a Domain
controller when you joined, it may not be the same DC that is
first in the list returned by get_dc_list and hence the first
in the list in the krb5.conf file created by winbindd. This
causes authentication requests to go to a different machine
than the one you used to join the domain. Until the kdc's sync
which I observed could take from 3 to 5 minutes in my setup
you get wbinfo -t failing with ACCESS_DENIED and the kerb
errors in the log. The included patch fixes this for me by
always adding the specified password servers to the beginning
of the list returned by get_dc_list.

Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Herb Lewis wrote:
> 
>>I sometimes get this error after a net ads join. wbinfo -t will
>>fail with NT_STATUS_ACCESS_DENIED. and net ads testjoin will
>>return that error but say the join is OK. If I rejoin the domain
>>(or I think sometimes if I just wait long enough - several minutes)
>>wbinfo -t will then work. It all seems to be related to what kdc
>>is listed first in the krb5.conf file but I'm not positive.
>>
>>What causes this error. Is is just something to do with the sync
>>time between the various kdc's in the domain?
> 
> 
> Yup.  What release are you working with?  This was tested pretty
> heavily in the v3-0 code.  I haven't had a chance to do the same
> testing since libnet was introduced for the domain join process
> in v3-2.
> 
-------------- next part --------------
diff --git a/source/libsmb/namequery.c b/source/libsmb/namequery.c
index 24d7ee1..1019b70 100644
--- a/source/libsmb/namequery.c
+++ b/source/libsmb/namequery.c
@@ -1883,11 +1883,10 @@ static NTSTATUS get_dc_list(const char *domain,
 	saf_servername = saf_fetch( domain);
 
 	if (strequal(domain, lp_workgroup()) || strequal(domain, lp_realm())) {
-		pserver = talloc_asprintf(NULL, "%s, %s",
-			saf_servername ? saf_servername : "",
-			lp_passwordserver());
+		pserver = talloc_asprintf(NULL, "%s, %s", lp_passwordserver(),
+			saf_servername ? saf_servername : "");
 	} else {
-		pserver = talloc_asprintf(NULL, "%s, *",
+		pserver = talloc_asprintf(NULL, "%s, %s, *", lp_passwordserver(),
 			saf_servername ? saf_servername : "");
 	}

More information about the samba-technical mailing list