[Samba] net ads join fails - "Preauthetication failed"

birger birger at birger.sh
Thu Dec 2 15:17:56 GMT 2004

After a lot of different problems and variations of krb5.conf and 
samba.conf files I am currently stuck with the following error trying to 
join a domain

net ads join -U nfybw at UIB.NO 'Klienter\IT\MatNat\IFT\Samba 
nfybw at UIB.NO's password:
[2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367)
  ads_add_machine_acct: Host account for iftsmb100 already exists - 
modifying old account
Using short domain name -- KLIENT
[2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335)
  get_service_ticket: kerberos_kinit_password 
IFTSMB100$@KLIENT.UIB.NO at KLIENT.UIB.NO failed: Preauthentication failed
*** glibc detected *** free(): invalid pointer: 0x00632800 ***

Fedora Core 3, Samba  3.0.9 as installed by yum.

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfybw at UIB.NO

Valid starting     Expires            Service principal
12/02/04 14:45:02  12/03/04 00:45:04  krbtgt/UIB.NO at UIB.NO
        renew until 12/03/04 14:45:02

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

I have tried removing the definition in the AD server and recreating. 
Samba manages to create the account, but still fails like above. Note 
the double @KLIENT.UIB.NO. I think I'll go home now and take a break 
while my head clears after fighting with security = ads for 2 days...

In this AD environment hosts are defined in KLIENT.UIB.NO, while users 
belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust 
relationships). I have had it working as far as wbinfo listing users 
from both worlds, but I still couldn't access shares. Then something 
broke, and now I can't join the domain again. What have I done wrong here?

My config files are at
http://www.ift.uib.no/~birger/krb5.conf and 


More information about the samba mailing list