samba3upgrade: Preauthentication failed while getting initial credentials

Adam Tauno Williams awilliam at whitemice.org
Thu Nov 10 08:26:16 MST 2011 

On Thu, 2011-11-10 at 08:31 -0500, Adam Tauno Williams wrote:
> Once the above files are installed, your Samba4 server will be ready to
> use
> Server Role:           domain controller
> Hostname:              BARBEL
> NetBIOS Domain:        BACKBONE
> DNS Domain:            micore.us
> DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
> Admin password:        None
> Importing WINS database
> Importing Account policy
> Importing idmap database
> Cannot open idmap database, Ignoring: [Errno 2] No such file or
> directory
> Ignoring unknown parameter "server role"
> Importing groups
> Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-514,
> groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists sid=S-1-5-32-544, groupname=Administrators
> existing_groupname=Administrators, Ignoring.
> Group already exists sid=S-1-5-32-550, groupname=Print Operators
> existing_groupname=Print Operators, Ignoring.
> Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-512,
> groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> Importing users

Version 4.0.0alpha18-GIT-22ddbb5

Up till now, if I got to this point, I've always been able to "kinit
administrator at MICORE.US", but after this provisioning it is failing with
a preauthenticate error.

barbel:~/samba-master #  host -t SRV _kerberos._udp.micore.us.
_kerberos._udp.micore.us has SRV record 0 100 88 BARBEL.micore.us.
barbel:~/samba-master # host -t A barbel.micore.us.
barbel.micore.us has address 10.66.77.1
barbel:~/samba-master # kinit administrator at MICORE.US
Password for administrator at MICORE.US: 
kinit: Preauthentication failed while getting initial credentials

>From the Samba Log -

ldb: ldb_trace_next_request: (tdb)->extended
ldb: ldb_trace_next_request: (tdb)->extended
ldb: ldb_trace_next_request: (show_deleted)->search
ldb: ldb_trace_next_request: (partition)->search
ldb: ldb_trace_next_request: (tdb)->extended
ldb: partition_request() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->search
ldb: ldb_trace_response: ENTRY
dn: CN=krbtgt,CN=Users,DC=micore,DC=us
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 514
unicodePwd:: JmwCrBH0hwyRT4HppG2PJQ==
pwdLastSet: 129654113010000000
supplementalCredentials::
AAAAALgFAAAAAAAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAg
ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAI
AAgACAAIAAgACAAUAADACAA9AABAFAAcgBpAG0AYQByAHkAOgBLAGUAcgBiAGUAcgBvAHMAMDMwMD
AwMDAwMjAwMDAwMDFFMDAxRTAwNEMwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDMwMDAwMDAwODAwMDA
wMDZBMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMDAwMDAwMDgwMDAwMDA3MjAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA0RDAwNDkwMDQzMDA0RjAwNTIwMDQ1MDAyR
TAwNTUwMDUzMDA2QjAwNzIwMDYyMDA3NDAwNjcwMDc0MDBBOEIzOThCNjUyMUFFNTQwQThCMzk4Qj
Y1MjFBRTU0MBAAQAACAFAAYQBjAGsAYQBnAGUAcwA0QjAwNjUwMDcyMDA2MjAwNjUwMDcyMDA2RjA
wNzMwMDAwMDA1NzAwNDQwMDY5MDA2NzAwNjUwMDczMDA3NDAwHgDAAwEAUAByAGkAbQBhAHIAeQA6
AFcARABpAGcAZQBzAHQAMzEwMDAxMUQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA5M0I2OEFDODIzM
jA4NERFNDIyNzBERkE3QUJDRDdGNUY2NUE5QzQwNkQzMUQzQkM1MTYzNEU0MTBGRjdBMThEMENBMT
NEMEY5RjAzNDM1NTEwRUFGOUI0RkU5MTI3MEM5M0I2OEFDODIzMjA4NERFNDIyNzBERkE3QUJDRDd
GNUY2NUE5QzQwNkQzMUQzQkM1MTYzNEU0MTBGRjdBMThERENCQTEyQTk0MTlGRTgwMkZCOEY0MjU1
NTA1ODk4RTg5M0I2OEFDODIzMjA4NERFNDIyNzBERkE3QUJDRDdGNTg5QTlEQTQ4Njk5NEMxNTY5O
EM3MDA3NzJGNjNERkMxODlBOURBNDg2OTk0QzE1Njk4QzcwMDc3MkY2M0RGQzE2QjE3MTAzMTNFRU
Q4OTkwMjU0MThBREQ5Q0Y0Mjc4RDU4Q0NGNTExMTczMzhGNDZFQTM0Njk4MTRCNTk4N0ZCODlBOUR
BNDg2OTk0QzE1Njk4QzcwMDc3MkY2M0RGQzFFNEQyRDQ0QTJGMjJDQjBFNzAxRDBEODdGRUI2QjY2
QzU4Q0NGNTExMTczMzhGNDZFQTM0Njk4MTRCNTk4N0ZCNzExMEQ5REY2OTBERTU0MDg4MjAzODg3M
zhDNzgyRTk3MTEwRDlERjY5MERFNTQwODgyMDM4ODczOEM3ODJFOTA0MUI3NUI1QjE3RkRCNTk5Nj
VDNEVBQ0Q5MUU0OTBFQkI4M0Y3MTdGRkZDQkI4QUFGRjQ0MUQ5Rjc2Q0I0Q0VDMDI1RjA4NThGM0E
5NkJDRUU4NjIzQzdCQTNDQ0JFNTEzNzU0RDcwQThDN0VGRUI3MDMwQ0VDRDQ2MDQ1N0U0NUVDRUYx
NDI4N0YyRjc4MkIxOTFBQjFBQzZCRDEyQ0U1RUNFRjE0Mjg3RjJGNzgyQjE5MUFCMUFDNkJEMTJDR
TIyNzVFRjM0RENBOTdFMEFDNUYxRUQ5ODcxREQ0M0QzM0IwQ0ZDQ0JEMzIwREY0NkVEQzA1MkNGM0
I2MkNFQTgzQjBDRkNDQkQzMjBERjQ2RURDMDUyQ0YzQjYyQ0VBOEIwMDIzQzlCQzBEMjMyNjkyOUQ
3MzQ5RDgzNjlDODM0ODVENjc1MkNFNURCNEEzMTk3NkU4RTg0NjcyOERBRDc3OTUyRTI5QTJCMzU0
MDA5NUNEMjQ1NUE1OUFCQzM2MTI3NzA5Q0YzNUE4MDdFNzQ2REVBNkFEREJEQjBGNkZBAA==
objectSid: S-1-5-21-2037442776-3290224752-88127236-502
accountExpires: 9223372036854775807
sAMAccountName: krbtgt
servicePrincipalName: kadmin/changepw
msDS-KeyVersionNumber: 1

ldb: ldb_trace_response: DONE
error: 0

Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- administrator at MICORE.US
Kerberos: Looking for ENC-TS pa-data -- administrator at MICORE.US
Kerberos: Failed to decrypt PA-DATA -- administrator at MICORE.US (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA -- administrator at MICORE.US
ldb: ldb_trace_request: SEARCH
 dn: DC=micore,DC=us
 scope: base
 expr: (|(objectClass=*)(distinguishedName=*))
 attr: repsTo
 control: <NONE>

More information about the samba-technical mailing list