kerberos_kinit_password Preauthentication failed

Gerald (Jerry) Carter jerry at
Tue Jan 20 19:00:13 GMT 2009

Hash: SHA1

Herb Lewis wrote:
> After doing a domain join with samba 3.2.4 I sometimes get this
> error on net ads testjoin and wbinfo -t will fail with
> NT_STATUS_ACCESS_DENIED. After some period of time (seems to
> vary) things will start working. I noticed on wireshark that
> there were several kerberos commands (AS-REQ) that were returning
> the error KRB5KDC_ERR_PREAUTH_REQUIRED as well as a bunch of the
> same commands that returned without error. I noticed from the
> trace that all the ones that worked had a field called
> just before teh KDC_REQ_BODY. The only thing I could see that was
> different in the failing ones was that it lacked this padata field.
> Is this what is causing the preauthentication failures in the
> testjoin? Where do I look to find where these packets are sent
> from samba? Is this something that has been fixed in a later version
> of samba so I should just upgrade and not bother looking? I'm
> linking with heimdal 0.7.2, do I need to upgrade that?

Both heimdal and MIT (IIRC) always try to obtain a TGT without
includeing the authenticator in the AS_REQ initially.  The KDC
sends back an error and tells it to try again.  All is happy.
The traffic you are describing is normal.

The wbinfo -t failure would imply that Winbind is not using the
same DC as it did for the join (as wbinfo -t sets up the machine
credentials chain on the NetLogon pipe).

This all should be fine.  Are you removing any tdbs or files
between the join and the wbinfo -t ?

cheers, jerry
- --
Samba                                    -------
Likewise Software                  ---------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list