[Samba] samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]
Noël Köthe
noel.koethe at credativ.de
Sat Aug 11 12:56:46 UTC 2018
Hello,
my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9)
connected to an AD with one Windows DC and one Samba DC does not renew
the Kerberos ticket after 10 hours and I need to rejoin the domain.:(
Another server (runs as print server with the same version) does not
have this problem.
Aug 10 20:03:37 bonn winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
Aug 10 20:04:26 bonn winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
Aug 11 06:15:02 bonn winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
Aug 11 06:25:02 bonn winbindd[14698]: kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
The configuration files:
# ls -l /etc/krb*
-rw-r--r-- 1 root root 142 Aug 7 12:25 /etc/krb5.conf
-rw------- 1 root root 4012 Aug 11 08:02 /etc/krb5.keytab
krb5.keytab timestamp is from the last manual join.
# cat /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
smb.conf
[global]
netbios name = BONN
workgroup = BFDI
security = ADS
realm = DOMAIN.DE
log level = 2 smb:4 winbind:6
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 500-40000
idmap_ldb use:rfc2307 = Yes
winbind nss info = rfc2307
winbind use default domain = yes
winbind max clients = 300
winbind refresh tickets = Yes
template homedir = /srv/samba/users/%U
template shell = /bin/bash
# username map = /etc/samba/smbusermap
wins server = 10.1.1.72
dns proxy = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server min protocol = SMB2
...
Then the shares follow
The logfile when it starts that the user cannot login again.
[2018/08/11 06:13:00.606138, 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler)
child daemon request 20
[2018/08/11 06:13:00.606203, 3] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
[14695]: list trusted domains
[2018/08/11 06:13:00.606226, 3] ../source3/winbindd/winbindd_ads.c:1456(trusted_domains)
ads: trusted_domains
[2018/08/11 06:13:00.607927, 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler)
Finished processing child request 20
[2018/08/11 06:15:01.669552, 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler)
child daemon request 59
[2018/08/11 06:15:01.669624, 3] ../source3/winbindd/winbindd_ads.c:1392(sequence_number)
ads: fetch sequence_number for BFDI
[2018/08/11 06:15:02.481002, 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
[2018/08/11 06:15:02.481487, 1] ../source3/winbindd/winbindd_ads.c:135(ads_cached_connection_connect)
ads_connect for domain DOMAIN failed: Preauthentication failed
[2018/08/11 06:15:02.482231, 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler)
Finished processing child request 59
[2018/08/11 06:18:00.611050, 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler)
child daemon request 20
# net ads join -U Administrator
...
# wbinfo -P
checking the NETLOGON dc connection to "dc-win.domain.de" succeeded
# net ads testjoin
Join is OK
# net ads info
LDAP server: 10.1.1.71
LDAP server name: dc-win.domain.de
Realm: DOMAIN.DE
Bind Path: dc=DOMAIN,dc=DE
LDAP port: 389
Server time: Sa, 11 Aug 2018 14:24:02 CEST
KDC server: 10.1.1.71
Server time offset: 0
Sadly I have no idea what could be the problem.
I did a "net ads leave" and join but then 10 hours later the problem is
there again.
Thanks alot for any help.
--
Regards
Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20180811/f8bbe517/signature.sig>
More information about the samba
mailing list