kerberos_kinit_password Preauthentication failed

Herb Lewis hlewis at
Tue Jan 20 18:52:39 GMT 2009

After doing a domain join with samba 3.2.4 I sometimes get this
error on net ads testjoin and wbinfo -t will fail with
NT_STATUS_ACCESS_DENIED. After some period of time (seems to
vary) things will start working. I noticed on wireshark that
there were several kerberos commands (AS-REQ) that were returning
the error KRB5KDC_ERR_PREAUTH_REQUIRED as well as a bunch of the
same commands that returned without error. I noticed from the
trace that all the ones that worked had a field called


just before teh KDC_REQ_BODY. The only thing I could see that was
different in the failing ones was that it lacked this padata field.

Is this what is causing the preauthentication failures in the
testjoin? Where do I look to find where these packets are sent
from samba? Is this something that has been fixed in a later version
of samba so I should just upgrade and not bother looking? I'm
linking with heimdal 0.7.2, do I need to upgrade that?

More information about the samba-technical mailing list