[Samba] Samba "spamming" Windows ADS server event logs with "pre-authentication failure"?

smc+samba at dogphilosophy.net smc+samba at dogphilosophy.net
Thu May 19 23:10:54 GMT 2005 

It appears that for some odd reason, all of the samba machines on our network 
are causing frequent "pre-authentication error" events for the machine name 
to clog the event logs on the "ActiveDirectory" server.

What's strange is that everything otherwise appears to be working - users can 
connect to samba shares and authenticate to the ADS server, but the event 
logs on the ADS server (Windows 2000) gets a mess of Event 675's every few 
minutes, with the machine account identified as the "user" attempting to 
connect.  kinit administrator@(DOMAIN).COM works fine.  smbclient -k works 
fine.  getent successfully pulls group info from the ActiveDirectory server.  
"net ads join" says it is updating the machine account entry successfully (in 
the process causing a whole slew of additional "pre-authentication failure" 
lines in the event logs again...).  I haven't been able to figure out what's 
causing it.  The fact that I don't quite understand what's going on between 
the Samba ADS member server and the ADS server itself doesn't help...

Supposedly, the error is "wrong password" ("Pre-Authentication Type: 0x0 
Failure Code 0x19").  Is the machine account's password screwed up such that 
I need to do something 'special' to fix it?

This appears to be happening with Samba 3.0.9 (Suse 9.2 Pro), Samba 3.0.11 
(Slackware), and Samba 3.0.15pre2 (Slackware).

Any pointers regarding where to look for the problem would be much 
appreciated.

If it helps, here's the smb.conf (sanitized for my protection...)

# Global parameters
[global]
        workgroup = WINDOMAIN
        realm = DOMAIN.COM
        server string = Samba Experimental
        security = ADS
        username map = /etc/samba/smbusers
        log file = /var/log/samba.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        wins server = 192.168.1.2, 192.168.1.7
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        hosts allow = 192.168.1., 127.
        use sendfile = Yes

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

[test]
        comment = test drive
        path = /tmp/temp
        read only = No
        guest ok = Yes

More information about the samba mailing list