[Samba] samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]

Noël Köthe noel.koethe at credativ.de
Sat Aug 11 12:56:46 UTC 2018 

Hello,

my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9)
connected to an AD with one Windows DC and one Samba DC does not renew
the Kerberos ticket after 10 hours and I need to rejoin the domain.:(
Another server (runs as print server with the same version) does not
have this problem.

Aug 10 20:03:37 bonn winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
Aug 10 20:04:26 bonn winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
Aug 11 06:15:02 bonn winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
Aug 11 06:25:02 bonn winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed

The configuration files:

# ls -l /etc/krb*
-rw-r--r-- 1 root root  142 Aug  7 12:25 /etc/krb5.conf
-rw------- 1 root root 4012 Aug 11 08:02 /etc/krb5.keytab

krb5.keytab timestamp is from the last manual join.

# cat /etc/krb5.conf 
[libdefaults]
        default_realm = DOMAIN.DE

        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        forwardable = yes

smb.conf
[global]
   netbios name = BONN
   workgroup = BFDI
   security = ADS
   realm = DOMAIN.DE

   log level = 2 smb:4 winbind:6

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config DOMAIN:backend = ad
   idmap config DOMAIN:schema_mode = rfc2307
   idmap config DOMAIN:range = 500-40000
   idmap_ldb use:rfc2307 = Yes
   winbind nss info = rfc2307
   winbind use default domain = yes
   winbind max clients = 300
   winbind refresh tickets = Yes
   template homedir = /srv/samba/users/%U
   template shell = /bin/bash
#   username map = /etc/samba/smbusermap

   wins server = 10.1.1.72
   dns proxy = yes

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   server min protocol = SMB2
...
Then the shares follow

The logfile when it starts that the user cannot login again.

[2018/08/11 06:13:00.606138,  4] ../source3/winbindd/winbindd_dual.c:1387(child_handler)
  child daemon request 20
[2018/08/11 06:13:00.606203,  3] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
  [14695]: list trusted domains
[2018/08/11 06:13:00.606226,  3] ../source3/winbindd/winbindd_ads.c:1456(trusted_domains)
  ads: trusted_domains
[2018/08/11 06:13:00.607927,  4] ../source3/winbindd/winbindd_dual.c:1395(child_handler)
  Finished processing child request 20
[2018/08/11 06:15:01.669552,  4] ../source3/winbindd/winbindd_dual.c:1387(child_handler)
  child daemon request 59
[2018/08/11 06:15:01.669624,  3] ../source3/winbindd/winbindd_ads.c:1392(sequence_number)
  ads: fetch sequence_number for BFDI
[2018/08/11 06:15:02.481002,  0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
  kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed
[2018/08/11 06:15:02.481487,  1] ../source3/winbindd/winbindd_ads.c:135(ads_cached_connection_connect)
  ads_connect for domain DOMAIN failed: Preauthentication failed
[2018/08/11 06:15:02.482231,  4] ../source3/winbindd/winbindd_dual.c:1395(child_handler)
  Finished processing child request 59
[2018/08/11 06:18:00.611050,  4] ../source3/winbindd/winbindd_dual.c:1387(child_handler)
  child daemon request 20

# net ads join -U Administrator
...

# wbinfo -P
checking the NETLOGON dc connection to "dc-win.domain.de" succeeded

# net ads testjoin
Join is OK

# net ads info
LDAP server: 10.1.1.71
LDAP server name: dc-win.domain.de
Realm: DOMAIN.DE
Bind Path: dc=DOMAIN,dc=DE
LDAP port: 389
Server time: Sa, 11 Aug 2018 14:24:02 CEST
KDC server: 10.1.1.71
Server time offset: 0

Sadly I have no idea what could be the problem.
I did a "net ads leave" and join but then 10 hours later the problem is
there again.

Thanks alot for any help.

-- 
Regards

        Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20180811/f8bbe517/signature.sig>

More information about the samba mailing list