[Samba] Samba vs ActiveDirectory Kerberos error message

Bjarne Maschoreck news01 at maschoreck.dk
Wed May 25 09:27:58 GMT 2005 

Hi,

When validating users on my Linux system against an ActiveDirectory,
the Windows event log are filled with messages like these (Windows
Event ID 675):

Pre-authentication failed:
      User Name:            linux$
      User ID:              KK\linux$
      Service Name:               krbtgt/KK.LOCAL
      Pre-Authentication Type:  0x0
      Failure Code:               0x19
      Client Address:             1.2.3.4


(1.2.3.4 is the IP address of the Linux machine, LINUX the hostname of
the Linux machine).

The message above comes at every request from the Linux machine (every 5
minutes on this installation). If I am validating a user, the same
message is shown for the user like this (user name validated=test):

Pre-authentication failed:
      User Name:            test$
      User ID:              KK\test$
      Service Name:               krbtgt/KK.LOCAL
      Pre-Authentication Type:  0x0
      Failure Code:               0x19
      Client Address:             1.2.3.4

Messages logged on behalf of a user may be disabled by deactivating
pre-authentification for each user. But I cannot find any place in
ActiveDirectory to disable it for the machine account.

What is missing ?

Is it possible to deactivate pre-authentification on the Linux (or
Windows) side to avoid these messages ?



Installation information:
===================================================

I have installed Samba 3.0.9-2.3 and the configuration files below on my
Suse 9.2 system.

I issued the following commands to establish connection to the
ActiveDirectory on the Windows server named ADMCONTROLLER:

smbpasswd -a root
kinit admuser
net use ads -Uadmuser

The Linux machine was added and user names may perfectly well be
validated against the ActiveDirectory hereafter.

I am not running KDC locally.

KK is our local domain handled by the domain controller ADMCONTROLLER.
Test commands also works well as far as I can see:

# net ads testjoin
Join is OK

# net ads status
(misc informations, no errors)

# net ads user
(user list)

Files used for the configuration:

/etc/samba/smb.conf:

[global]
    workgroup = KK
    realm = KK.LOCAL
    security = ADS
    map to guest = Bad User
    username map = /etc/samba/smbusers
    printcap cache time = 750
    logon path = \\%L\profiles\.msprofile
    logon drive = P:
    logon home = \\%L\%U\.9xprofile
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template homedir = /winhome/%U
    template shell = /bin/bash
    winbind separator = @
    winbind use default domain = yes
    winbind cache time = 900
    winbind enum users = no
    winbind enum groups = no
    printer admin = @ntadmin, root, administrator
    create mask = 0777
    force create mode = 0660
    directory mask = 0777
    force directory mode = 0777
    cups options = raw
    include = /etc/samba/dhcp.conf
    encrypt passwords = yes
    guest account = kkuser
    server string = LINUX filserver

[printers]
    comment = All Printers
    path = /var/tmp
    create mask = 0600
    printable = yes
    browseable = no

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin, root
    force group = ntadmin
    create mask = 0664
    directory mask = 0775

[data]
    comment = Data
    path = /data
    read only = no
    guest ok = yes
     max connections = 0

---eof---

/etc/krb5.conf:

[libdefaults]
    clockskew = 300
    default_realm = KK.LOCAL
   
[realms]
    KK.LOCAL = {
        kdc = ADMCONTROLLER
        default_domain = KK.LOCAL
        kpasswd_server = ADMCONTROLLER
    }

[domain_realm]
    .KK.LOCAL = KK.LOCAL

[logging]
    default = SYSLOG:NOTICE:DAEMON
    kdc = FILE:/var/log/kdc.log
    kadmind = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    retain_after_close = false
    minimum_uid = 0
    debug = false
}

---eof---

/etc/samba/smbusers:

root = administrator

---eof---

/etc/samba/smbpasswd (hex modified in this example):

root:0:52525252525252525252525252552525258237632846842634364834632842662:[U         
]:LCT-9371B4CF:

---eof---

/etc/nsswitch.conf:

passwd:    files  winbind
group:    files  winbind
shadow:    files  winbind

hosts:    files dns
networks:    files dns

services:    files
protocols:    files
rpc:    files
ethers:    files
netmasks:    files
netgroup:    files
publickey:    files

bootparams:    files
automount:    files nis
aliases:    files

---eof---


Thanks for your help!

rgds,
Bjarne Maschoreck

More information about the samba mailing list