samba3upgrade: Preauthentication failed while getting initial credentials

Adam Tauno Williams awilliam at whitemice.org
Thu Nov 10 09:23:48 MST 2011 

On Thu, 2011-11-10 at 10:26 -0500, Adam Tauno Williams wrote:
> On Thu, 2011-11-10 at 08:31 -0500, Adam Tauno Williams wrote:
> > Once the above files are installed, your Samba4 server will be ready to
> > use
> > Server Role:           domain controller
> > Hostname:              BARBEL
> > NetBIOS Domain:        BACKBONE
> > DNS Domain:            micore.us
> > DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
> > Admin password:        None
> > Importing WINS database
> > Importing Account policy
> > Importing idmap database
> > Cannot open idmap database, Ignoring: [Errno 2] No such file or
> > directory
> > Ignoring unknown parameter "server role"
> > Importing groups
> > Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-514,
> > groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> > Group already exists sid=S-1-5-32-544, groupname=Administrators
> > existing_groupname=Administrators, Ignoring.
> > Group already exists sid=S-1-5-32-550, groupname=Print Operators
> > existing_groupname=Print Operators, Ignoring.
> > Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-512,
> > groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> > Importing users
> 
> Version 4.0.0alpha18-GIT-22ddbb5
> 
> Up till now, if I got to this point, I've always been able to "kinit
> administrator at MICORE.US", but after this provisioning it is failing with
> a preauthenticate error.
> 
> barbel:~/samba-master #  host -t SRV _kerberos._udp.micore.us.
> _kerberos._udp.micore.us has SRV record 0 100 88 BARBEL.micore.us.
> barbel:~/samba-master # host -t A barbel.micore.us.
> barbel.micore.us has address 10.66.77.1
> barbel:~/samba-master # kinit administrator at MICORE.US
> Password for administrator at MICORE.US: 
> kinit: Preauthentication failed while getting initial credentials

In general something seems to be going wrong with Kerberos now.  Not
only can I not authenticate as a user but I can't configure Bind to use
TKEY's or it fails with a -

Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
A.E.F.IP6.ARPA
Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
B.E.F.IP6.ARPA
Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
8.B.D.0.1.0.0.2.IP6.ARPA
Nov 10 10:46:53 barbel named[26621]: configuring TKEY: failure
Nov 10 10:46:53 barbel named[26621]: loading configuration: failure
Nov 10 10:46:53 barbel named[26621]: exiting (due to fatal error)

That is if I have
options {
       ....
        tkey-gssapi-credential "DNS/micore.us";
        tkey-domain "MICORE.US";
} in /etc/named.conf

In /etc/sysconfig/named I have -

KEYTAB_FILE="/opt/s4/private/dns.keytab"
KRB5_KTNAME="/opt/s4/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME

- and dns.keytab is owned by named:named as I have always have had.

More information about the samba-technical mailing list