[Samba] How do I tell winbind to always send kerberos pre-auth to Active Directory DC

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Sep 3 09:27:40 MDT 2009


On Thu, Sep 03, 2009 at 05:10:38PM +0200, Andreas Dan Larsson wrote:
> This message is not fatal in any way, all it means is that
> the client did not pre-authenticate it self to the
> domaincontroller. The domaincontroller responds to the
> client that it needs pre-auth to proceed, the client then
> supply the pre-auth info. So the "error" in it self is
> quite harmless, my concern is that its appearing a bit to
> often. Some clients log this message to the
> domaincontroller up to 10-20 times a minute, could this
> indicate that something is broken?

Ok, 10-20 times a minute is definitely too much, you would
need to look at traces why it happens so often. Apart from
that, this behaviour is something winbind has no direct
control over, this is done by the Kerberos libraries we use.
You might want to look at the docs for krb5.conf if there's
any setting you can use to stop the non-preauth requests.
I'm afraid I don't have those docs handy right now, and I'm
behind a slow mobile connection.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20090903/a500e92f/attachment.pgp>


More information about the samba mailing list