Kerberos ticket issues with Samba4 and Window 2k8R2

brendan powers brendan0powers at
Tue Jun 5 09:27:52 MDT 2012


I have been having issues getting kerberos tickets for users stored in
a keytab file. This issue only occurs when Samba4 is joined to a
Windows Server 2008 R2 domain. If the server is provisioned normally,
or joined to a Windows 2003 R2 domain, this problem does not occur.
I've also tried a normal provision, and then raised the domain and
forest to a 2008R2 level, and that does not cause the issue either.
Below is a list of information and steps I used to reproduce the Issue

Linux Server OS: Ubuntu 12.04
Samba Versions: Alpha 17, Alpha 21, and GIT
01106230ddc8da90e2ff2667dd3702e3c110f720 from yesterday.
Windows Version: Windows Server 2008 R2
Domain and Forest Level: 2008R2

Domain Name: testdom.lan
Short Name: testdom
Windows Server: winsvr
Linux Server: ubuntu

Steps to reproduce:
1) Install Windows Server 2008R2, and provision a new domain with a
2008R2 forest and domain level
2) Install Samba4 on a linux server, using one of the versions listed above
3) Set up /etc/resolve.conf to point to the windows server. Configure
hosts so the ubuntu server has a properly configured FQDN
4) Configure the /etc/krb5.conf according to
5) Join samba to the windows domain using: bin/samba-tool domain join
testdom.lan DC -Uadministrator --realm=testdom.lan
6) Run KCC on the windows server: bin/samba-tool drs kcc -UAdministrator winsvr
7) Check replication with: bin/samba-tool drs showrepl
8) Create a user to authenticate. I'm going to use the dns update user
in this example: bin/samba-tool user create dns-ubuntu Dnspw123
9) Create secrets ldiff file (see below), and import it with:
bin/ldbadd -H private/secrets.ldb /tmp/secret.ldiff
10) Run kinit dns-ubuntu to make sure the user was created and can be
11) Try getting a kerberos ticket using the keytab created by adding
an entry to the secrets.ldb file: kinit -k -t private/dns.keytab

At this point, kinit gives the error "kinit: Preauthentication failed
while getting initial credentials". If I had used a windows 2008
server for this process, this command succeeds. If I were to export
the domain keytab with samba-tool domain exportkeytab, I can
authenticate the dns-ubuntu user. This seems to be a pretty consistent
and repeatable behavior. I've tried it with many small configurations
tweaks, multiple window servers, etc... Below are some of the files I
used. This seems to be the only issue, replication is working,
computers can join to the domain, users can authenticate, DNS updates
work, etc...

	default_realm = TESTDOM.LAN
	dns_lookup_realm = false
	dns_lookup_kdc = true

I've tried various versions of realm/kdc being true/false.

Secrets LDIFF file - This is the file I used to add the dns-ubuntu
entry to the secretds.ldb file
dn: samAccountName=dns-ubuntu,CN=Principals
msDS-KeyVersionNumber: 1
objectClass: top
objectClass: secret
objectClass: kerberosSecret
privateKeytab: dns.keytab
sAMAccountName: dns-ubuntu
secret: Dnspw123
servicePrincipalName: DNS/testdom.lan
servicePrincipalName: DNS/ubuntu.testdom.lan
name: dns-ubuntu

# Global parameters
	server role = domain controller
	workgroup = TESTDOM
	realm = testdom.lan
	netbios name = UBUNTU
	passdb backend = samba4
	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate, s3fs

	path = /usr/local/samba/var/locks/sysvol/testdom.lan/scripts
	read only = No

	path = /usr/local/samba/var/locks/sysvol
	read only = No

More information about the samba-technical mailing list