kerberos_kinit_password Preauthentication failed

Gerald (Jerry) Carter jerry at samba.org
Mon Nov 17 17:20:31 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Herb Lewis wrote:
> OK I found where the problem was. If you specified a Domain
> controller when you joined, it may not be the same DC that is
> first in the list returned by get_dc_list and hence the first
> in the list in the krb5.conf file created by winbindd. This
> causes authentication requests to go to a different machine
> than the one you used to join the domain. Until the kdc's sync
> which I observed could take from 3 to 5 minutes in my setup
> you get wbinfo -t failing with ACCESS_DENIED and the kerb
> errors in the log. The included patch fixes this for me by
> always adding the specified password servers to the beginning
> of the list returned by get_dc_list.


Herb,  I think your change really masks the actual bug.  The
Server Affinity cache should point to the DC that was most recently
successfully communicated with.    Why is that different that the
"password server" you defined.  And for that matter, why are you
using the "password server" parameter at all?





cheers, jerry
- --
=====================================================================
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJIaffIR7qMdg1EfYRAoLjAJ0X9o9k4KEHD7FVJsPvYtFG4HxILACfa66t
ReY3UVBLsy2Tnlz6UbobLQ4=
=yxop
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list