kerberos_kinit_password Preauthentication failed
Gerald (Jerry) Carter
jerry at samba.org
Tue Jan 20 19:00:13 GMT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Herb Lewis wrote:
> After doing a domain join with samba 3.2.4 I sometimes get this
> error on net ads testjoin and wbinfo -t will fail with
> NT_STATUS_ACCESS_DENIED. After some period of time (seems to
> vary) things will start working. I noticed on wireshark that
> there were several kerberos commands (AS-REQ) that were returning
> the error KRB5KDC_ERR_PREAUTH_REQUIRED as well as a bunch of the
> same commands that returned without error. I noticed from the
> trace that all the ones that worked had a field called
> padata: PA_ENC_TIMESTAMP
> just before teh KDC_REQ_BODY. The only thing I could see that was
> different in the failing ones was that it lacked this padata field.
> Is this what is causing the preauthentication failures in the
> testjoin? Where do I look to find where these packets are sent
> from samba? Is this something that has been fixed in a later version
> of samba so I should just upgrade and not bother looking? I'm
> linking with heimdal 0.7.2, do I need to upgrade that?
Both heimdal and MIT (IIRC) always try to obtain a TGT without
includeing the authenticator in the AS_REQ initially. The KDC
sends back an error and tells it to try again. All is happy.
The traffic you are describing is normal.
The wbinfo -t failure would imply that Winbind is not using the
same DC as it did for the join (as wbinfo -t sets up the machine
credentials chain on the NetLogon pipe).
This all should be fine. Are you removing any tdbs or files
between the join and the wbinfo -t ?
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewise.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical