[Samba] Samba vs ActiveDirectory Kerberos error message

smc+samba at dogphilosophy.net smc+samba at dogphilosophy.net
Wed May 25 16:42:14 GMT 2005 

I'm seeing the same problem on 3 different Samba versions (on two different 
distributions) as well.  I poked around the HOWTO's and such but
so far haven't found anything to indicate what the problem might be.

It doesn't seem to prevent authentication, but it creates a huge amount of 
noise in the Windows event logs.  I'd be interested in knowing how to address 
this, too.

On Wednesday 25 May 2005 02:27 am, Bjarne Maschoreck wrote:
> Hi,
>
> When validating users on my Linux system against an ActiveDirectory,
> the Windows event log are filled with messages like these (Windows
> Event ID 675):
>
> Pre-authentication failed:
>       User Name:            linux$
>       User ID:              KK\linux$
>       Service Name:               krbtgt/KK.LOCAL
>       Pre-Authentication Type:  0x0
>       Failure Code:               0x19
>       Client Address:             1.2.3.4
>
>
> (1.2.3.4 is the IP address of the Linux machine, LINUX the hostname of
> the Linux machine).
>
> The message above comes at every request from the Linux machine (every 5
> minutes on this installation). If I am validating a user, the same
> message is shown for the user like this (user name validated=test):
>
> Pre-authentication failed:
>       User Name:            test$
>       User ID:              KK\test$
>       Service Name:               krbtgt/KK.LOCAL
>       Pre-Authentication Type:  0x0
>       Failure Code:               0x19
>       Client Address:             1.2.3.4
>
> Messages logged on behalf of a user may be disabled by deactivating
> pre-authentification for each user. But I cannot find any place in
> ActiveDirectory to disable it for the machine account.
>
> What is missing ?
>
> Is it possible to deactivate pre-authentification on the Linux (or
> Windows) side to avoid these messages ?
>
>
>
> Installation information:
> ===================================================
>
> I have installed Samba 3.0.9-2.3 and the configuration files below on my
> Suse 9.2 system.
>
> I issued the following commands to establish connection to the
> ActiveDirectory on the Windows server named ADMCONTROLLER:
>
> smbpasswd -a root
> kinit admuser
> net use ads -Uadmuser
>
> The Linux machine was added and user names may perfectly well be
> validated against the ActiveDirectory hereafter.
>
> I am not running KDC locally.
>
> KK is our local domain handled by the domain controller ADMCONTROLLER.
> Test commands also works well as far as I can see:
>
> # net ads testjoin
> Join is OK
>
> # net ads status
> (misc informations, no errors)
>
> # net ads user
> (user list)
>
> Files used for the configuration:
>
> /etc/samba/smb.conf:
>
> [global]
>     workgroup = KK
>     realm = KK.LOCAL
>     security = ADS
>     map to guest = Bad User
>     username map = /etc/samba/smbusers
>     printcap cache time = 750
>     logon path = \\%L\profiles\.msprofile
>     logon drive = P:
>     logon home = \\%L\%U\.9xprofile
>     idmap uid = 10000-20000
>     idmap gid = 10000-20000
>     template homedir = /winhome/%U
>     template shell = /bin/bash
>     winbind separator = @
>     winbind use default domain = yes
>     winbind cache time = 900
>     winbind enum users = no
>     winbind enum groups = no
>     printer admin = @ntadmin, root, administrator
>     create mask = 0777
>     force create mode = 0660
>     directory mask = 0777
>     force directory mode = 0777
>     cups options = raw
>     include = /etc/samba/dhcp.conf
>     encrypt passwords = yes
>     guest account = kkuser
>     server string = LINUX filserver
>
> [printers]
>     comment = All Printers
>     path = /var/tmp
>     create mask = 0600
>     printable = yes
>     browseable = no
>
> [print$]
>     comment = Printer Drivers
>     path = /var/lib/samba/drivers
>     write list = @ntadmin, root
>     force group = ntadmin
>     create mask = 0664
>     directory mask = 0775
>
> [data]
>     comment = Data
>     path = /data
>     read only = no
>     guest ok = yes
>      max connections = 0
>
> ---eof---
>
> /etc/krb5.conf:
>
> [libdefaults]
>     clockskew = 300
>     default_realm = KK.LOCAL
>
> [realms]
>     KK.LOCAL = {
>         kdc = ADMCONTROLLER
>         default_domain = KK.LOCAL
>         kpasswd_server = ADMCONTROLLER
>     }
>
> [domain_realm]
>     .KK.LOCAL = KK.LOCAL
>
> [logging]
>     default = SYSLOG:NOTICE:DAEMON
>     kdc = FILE:/var/log/kdc.log
>     kadmind = FILE:/var/log/kadmind.log
>
> [appdefaults]
> pam = {
>     ticket_lifetime = 1d
>     renew_lifetime = 1d
>     forwardable = true
>     proxiable = false
>     retain_after_close = false
>     minimum_uid = 0
>     debug = false
> }
>
> ---eof---
>
> /etc/samba/smbusers:
>
> root = administrator
>
> ---eof---
>
> /etc/samba/smbpasswd (hex modified in this example):
>
> root:0:52525252525252525252525252552525258237632846842634364834632842662:[U
> ]:LCT-9371B4CF:
>
> ---eof---
>
> /etc/nsswitch.conf:
>
> passwd:    files  winbind
> group:    files  winbind
> shadow:    files  winbind
>
> hosts:    files dns
> networks:    files dns
>
> services:    files
> protocols:    files
> rpc:    files
> ethers:    files
> netmasks:    files
> netgroup:    files
> publickey:    files
>
> bootparams:    files
> automount:    files nis
> aliases:    files
>
> ---eof---
>
>
> Thanks for your help!
>
> rgds,
> Bjarne Maschoreck

More information about the samba mailing list