kerberos_kinit_password Preauthentication failed
Herb Lewis
hlewis at panasas.com
Tue Jan 20 18:52:39 GMT 2009
After doing a domain join with samba 3.2.4 I sometimes get this
error on net ads testjoin and wbinfo -t will fail with
NT_STATUS_ACCESS_DENIED. After some period of time (seems to
vary) things will start working. I noticed on wireshark that
there were several kerberos commands (AS-REQ) that were returning
the error KRB5KDC_ERR_PREAUTH_REQUIRED as well as a bunch of the
same commands that returned without error. I noticed from the
trace that all the ones that worked had a field called
padata: PA_ENC_TIMESTAMP
just before teh KDC_REQ_BODY. The only thing I could see that was
different in the failing ones was that it lacked this padata field.
Is this what is causing the preauthentication failures in the
testjoin? Where do I look to find where these packets are sent
from samba? Is this something that has been fixed in a later version
of samba so I should just upgrade and not bother looking? I'm
linking with heimdal 0.7.2, do I need to upgrade that?
More information about the samba-technical
mailing list