[Samba] Moving Samba AD DC from one VM host to another: Preauthentication failed

Denis Cardon dcardon at tranquil.it
Fri Jun 14 13:51:07 UTC 2019

Hi Barry,

> I'm trying to move my current Samba AD DC VM from EXSi vSphere to
> XenServer (XCP-NG).
> I was able to export the VM to .OVA file & import it into XCP-NG fine.
> I was able to open ADUC & the DNS manager in Windows without an issue.
> But my web server had a lot of these errors in the log & couldn't mount
> the SMB shares from the file server:
> kerberos_kinit_password <HOSTNAME> failed: Preauthentication failed
> Maybe the web server changed it's password in between the export &
> import (it was a few days).
> Does it just need to leave & rejoin the domain?
> Or is there anything else I need to do on the DC after importing it into
> the new host?

Like Windows desktop, Winbind changes its shared secret on a regular 
basis (I think it is two weeks for winbind, 4 weeks for Windows 
desktops). So if you had your DC running during the transfert, the 
secret might well have changed.

If you have to do that again later, when switching server, you should 
stop samba service, the copy over the uptodate /var/lib/samba from the 
old VMWare VM to the new Xenserver VM in order not to lose any updated 

For your web server, rejoining should to the trick.

 > Both the DC & web server are on:
 > Samba version: 4.7.6
 > CentOS: 7.5.1804

I encourage you to update on latest 4.9 at least. Samba 4.7 is not 
supported anymore, and actually there has been big improvement in 
performance and stability, notably bind-dlz which is working much better.




> Thanks for any help.

Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba mailing list