[Samba] net ads join fails - "Preauthetication failed"
Birger Wathne
birger at uib.no
Tue Dec 7 14:51:34 GMT 2004
Sort of solved...
First, I tried stopping smb and winbind and cleaning out all cache files
(/var/cache/samba).
Then joining worked fine for a while. Then it didn't. Whenever it didn't
I got those weird messages with IFTSMB100$@KLIENT.UIB.NO at KLIENT.UIB.NO
again.
Now that problem seems to be fixed, but I still get errors joining. Seen
from the AD side the join succeeds, and I can authenticate against AD as
expected. I'm not sure what this is, but I'll get someone on the AD side
to help me clean out the credentials for IFTSMB100 completely. Does
anyone here know what it takes to get completely rid of all traces of a
host in AD so I can really retry from scratch?
To get to a working setup I had to add a domain-to-realm mapping in
krb5.conf and match the default realm in krb5.conf to the realm in
smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this
setup. Users live in other domains.
My new config files are at http://www.ift.uib.no/~birger/krb5.conf and
http://www.ift.uib.no/~birger/smb.conf
--
birger
birger wrote:
> After a lot of different problems and variations of krb5.conf and
> samba.conf files I am currently stuck with the following error trying
> to join a domain
>
> net ads join -U nfybw at UIB.NO 'Klienter\IT\MatNat\IFT\Samba
> Servers\IT-gruppen'
> nfybw at UIB.NO's password:
> [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367)
> ads_add_machine_acct: Host account for iftsmb100 already exists -
> modifying old account
> Using short domain name -- KLIENT
> [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335)
> get_service_ticket: kerberos_kinit_password
> IFTSMB100$@KLIENT.UIB.NO at KLIENT.UIB.NO failed: Preauthentication failed
> *** glibc detected *** free(): invalid pointer: 0x00632800 ***
>
>
> Fedora Core 3, Samba 3.0.9 as installed by yum.
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nfybw at UIB.NO
>
> Valid starting Expires Service principal
> 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/UIB.NO at UIB.NO
> renew until 12/03/04 14:45:02
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> I have tried removing the definition in the AD server and recreating.
> Samba manages to create the account, but still fails like above. Note
> the double @KLIENT.UIB.NO. I think I'll go home now and take a break
> while my head clears after fighting with security = ads for 2 days...
>
> In this AD environment hosts are defined in KLIENT.UIB.NO, while users
> belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with
> trust relationships). I have had it working as far as wbinfo listing
> users from both worlds, but I still couldn't access shares. Then
> something broke, and now I can't join the domain again. What have I
> done wrong here?
>
> My config files are at
> http://www.ift.uib.no/~birger/krb5.conf and
> http://www.ift.uib.no/~birger/smb.conf
>
More information about the samba
mailing list