[Samba] authenticating to AD with winbind

Völker, Christian Christian.Voelker at qsc.de
Fri Nov 4 08:56:47 GMT 2005 

Yohoo!
 
We want to authenticate our Cisco admins to freeradius. This should authenticate to our running AD (W2003Srv).
 
Googling for freeradius and AD tells me to use ntlm_auth. For ntlm_auth I need a running winbindd. And kerberos.
 
And there's my problem.
 
Status:
 I configured the /etc/krb5.conf
"kinit admin at MY.DOMAIN" asks for the password and gives me a ticket for one week.
So I think, kerberos is running fine.
 
"net join -S MYDOMAIN -Uadmin" asks again for the password to add the machine into the AD. Then it shows me a lot of messages (at the moment I can't post them here, if needed I will deliver them later). But, at the end it tells me that it has successfully joined. And I can find the machine-account in my AD. 
I'm not sure, but I think it ran successfully.
 
winbindd is configured in the /etc/samba/smb.conf. Starting winbind tells me in the logfile (machinenames stripped):
 
cgnses80:/var/log/samba # cat log.winbindd
[2005/11/03 17:16:07, 1] nsswitch/winbindd.c:main(864)
  winbindd version 3.0.14a-0.4-SUSE started.
  Copyright The Samba Team 2000-2004
[2005/11/03 17:16:07, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/11/03 17:16:07, 0] libads/kerberos.c:ads_kinit_password(147)
  kerberos_kinit_password host/HOST at STR.IPP.ED failed: Preauthentication failed
[2005/11/03 17:16:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain MYDOMAIN failed: Preauthentication failed
[2005/11/03 17:16:07, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/11/03 17:16:07, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/11/03 17:16:51, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/11/03 17:16:51, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/11/03 17:16:51, 0] libads/kerberos.c:ads_kinit_password(147)
  kerberos_kinit_password host/HOST at STR.IPP.ED failed: Preauthentication failed
[2005/11/03 17:16:51, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain MYDOMAIN2 failed: Preauthentication failed
[2005/11/03 17:16:51, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/11/03 17:31:48, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/11/03 18:41:48, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
cgnses80:/var/log/samba #

Could it be possible, that the host is not added successfully to the domain? But why tells me the net join it was so? And why is the machine in the AD?
 
Anyone who can give me an approach to the solution?

More information about the samba mailing list