[Samba] net ads join fails - "Preauthetication failed"

Birger Wathne birger at uib.no
Tue Dec 7 14:51:34 GMT 2004

Sort of solved...

First, I tried stopping smb and winbind and cleaning out all cache files 
Then joining worked fine for a while. Then it didn't. Whenever it didn't 
I got those weird messages with IFTSMB100$@KLIENT.UIB.NO at KLIENT.UIB.NO 

Now that problem seems to be fixed, but I still get errors joining. Seen 
from the AD side the join succeeds, and I can authenticate against AD as 
expected. I'm not sure what this is, but I'll get someone on the AD side 
to help me clean out the credentials for IFTSMB100 completely. Does 
anyone here know what it takes to get completely rid of all traces of a 
host in AD so I can really retry from scratch?

To get to a working setup I had to add a domain-to-realm mapping in 
krb5.conf and match the default realm in krb5.conf to the realm in 
smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this 
setup. Users live in other domains.
My new config files are at http://www.ift.uib.no/~birger/krb5.conf and


birger wrote:

> After a lot of different problems and variations of krb5.conf and 
> samba.conf files I am currently stuck with the following error trying 
> to join a domain
> net ads join -U nfybw at UIB.NO 'Klienter\IT\MatNat\IFT\Samba 
> Servers\IT-gruppen'
> nfybw at UIB.NO's password:
> [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367)
>  ads_add_machine_acct: Host account for iftsmb100 already exists - 
> modifying old account
> Using short domain name -- KLIENT
> [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335)
>  get_service_ticket: kerberos_kinit_password 
> IFTSMB100$@KLIENT.UIB.NO at KLIENT.UIB.NO failed: Preauthentication failed
> *** glibc detected *** free(): invalid pointer: 0x00632800 ***
> Fedora Core 3, Samba  3.0.9 as installed by yum.
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfybw at UIB.NO
> Valid starting     Expires            Service principal
> 12/02/04 14:45:02  12/03/04 00:45:04  krbtgt/UIB.NO at UIB.NO
>        renew until 12/03/04 14:45:02
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> I have tried removing the definition in the AD server and recreating. 
> Samba manages to create the account, but still fails like above. Note 
> the double @KLIENT.UIB.NO. I think I'll go home now and take a break 
> while my head clears after fighting with security = ads for 2 days...
> In this AD environment hosts are defined in KLIENT.UIB.NO, while users 
> belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with 
> trust relationships). I have had it working as far as wbinfo listing 
> users from both worlds, but I still couldn't access shares. Then 
> something broke, and now I can't join the domain again. What have I 
> done wrong here?
> My config files are at
> http://www.ift.uib.no/~birger/krb5.conf and 
> http://www.ift.uib.no/~birger/smb.conf

More information about the samba mailing list