[Samba] samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]

Noël Köthe noel.koethe at credativ.de
Sat Aug 11 14:30:42 UTC 2018

Hello Rowland,

Am Samstag, den 11.08.2018, 14:55 +0100 schrieb Rowland Penny via

> >    idmap config DOMAIN:backend = ad
> >    idmap config DOMAIN:schema_mode = rfc2307
> >    idmap config DOMAIN:range = 500-40000
> Is 'DOMAIN' a typo ? or did you not bother 'sanitising' 'BFDI' above ?

I overlooked the workgroup entry when "sanitising". sorry for

> >    idmap_ldb use:rfc2307 = Yes
> Why have you got a line meant for a Samba AD DC in your Unix domain
> member smb.conf ?

Then it is not intended.

> >    wins server =
> >    dns proxy = yes
> You do not need the above two lines.

Thank you for the hint.

> > Sadly I have no idea what could be the problem.
> > I did a "net ads leave" and join but then 10 hours later the problem
> > is there again.
> This is undoubtedly a Kerberos problem, but apart for the slight
> problems I mentioned above, there doesn't seem to be much wrong.

OK. Thank you for this verification.

> You could check the time between the Client and DC, also check that the
> clients first nameserver is the DC.

I did this an they all run NTP and the clocks are accurate.

> If it is a Samba problem then you have little or no chance of getting
> it fixed, your version of Samba is EOL as far as Samba is concerned.
> You could consider using Louis Van Belle's repo from here:
> http://apt.van-belle.nl/
> This will get you a much more recent Samba version.

Thanks again. I will upgrade the system and samba.


        Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20180811/eca893e8/signature.sig>

More information about the samba mailing list