[Samba] How do I tell winbind to always send kerberos pre-auth to Active Directory DC

Andreas Dan Larsson andreas.d.larsson at axis.com
Thu Sep 3 09:10:38 MDT 2009

Hi List,
I have reported this issue before but I did not get an answer, ill try one more time before I register it as a bug incase I am doing something wrong. 

I'm evaluating the use of samba/winbind to join our linuxhosts into active directory. My testsetup use win2k3 R2 with rfc2307 schema fields populated on the server side. For the most part the project is humming along nicely.

However, I have noticed that the domaincontrollers get spammed with a lot of messages in the event log. The events look like this:

Failure Audit  - Security - 675

Pre-Authentication failed:
		User Name:			machineaccount$
		User ID:				DOMAIN\\machineaccount$
		Service Name:			krgtgt/DOMAIN
		Pre-Authentication type:	0x0
		Failure Code:			0x19
		Client Address:			ipofclient

This message is not fatal in any way, all it means is that the client did not pre-authenticate it self to the domaincontroller. The domaincontroller responds to the client that it needs pre-auth to proceed, the client then supply the pre-auth info. So the "error" in it self is quite harmless, my concern is that its appearing a bit to often. Some clients log this message to the domaincontroller up to 10-20 times a minute, could this indicate that something is broken?

My other concern is that this message will totally flood the logs of the domaincontrollers in the event of a full scale rollout on all linux clients. 

The solution i believe is to always send KRB5_PADATA_ENC_TIMESTAMP as pre-auth when connecting to a Active Directory domain controller. I have searched for a config option to enable this behavior without finding one. I have also searched the source code to see where the connection to the domaincontroller is set up. I have however been unsuccessful in figuring out how i tell sasl to make the connection using pre-auth.

Unless i have misunderstood my problem i believe this will benefit anyone that integrate their samba machines into Active Directory.

Other solutions i found via google solve the problem by disabling pre-auth all together. This solution is totally unacceptable from a security point of view.

For reference i have used samba 3.2.5 from debian lenny and samba 3.3.3 from lenny backports to test this. 

Any advice on how to proceed would be appreciated.

Andreas Larsson

More information about the samba mailing list