[Samba] Kerberos pre-authentication failure with samba 3.0.22

Holger Richter holger.richter at klst.com
Wed May 3 14:21:34 GMT 2006


Hello,

I have a problem with the kerberos pre-authentication of samba against
a W2k Active Directory. It seems to work, but in the Windows event log
I can see many pre-authentication errors (error 0x19) of the samba
server. The server itself is a member of the Windows domain.

This is a part of smb.conf

[global]
	unix charset = ISO-8859-1
	display charset = ISO-8859-1
	workgroup = WKG
	realm = WKG.COM
	server string = SRV8XXX
	security = ADS
	auth methods = winbind
	client schannel = Yes
	server schannel = Yes
	password server = *
	...

and krb5.conf:

[libdefaults]
	renew_lifetime = 1w
	ticket_lifetime = 1560
	default_tgs_enctypes = arcfour-hmac-md5
	default_tkt_enctypes = arcfour-hmac-md5
	permitted_enctypes = arcfour-hmac-md5
	kdc_req_checksum_type = -138
	ap_req_checksum_type = -138
	safe_checksum_type = -138
	dns_lookup_kdc = true
	dns_lookup_realm = true
	kdc_timesync = true
	proxiable = false
	forwardable = true

[logging]
	default = FILE:/var/log/kdc.log

[login]
	krb4_get_tickets = false
	krb4_convert = false

Kerberos gets the information about realm and kdc server from DNS. If
I define realm and kdc server directly in krb5.conf I get the same
error. How can I tell MIT Kerberos to send the correct
pre-authentication?

Holger



More information about the samba mailing list