[Samba] AD authentication issue in Samba (kerberos errors)

Rowland Penny rpenny at samba.org
Wed Mar 20 11:03:15 UTC 2019

On Wed, 20 Mar 2019 12:27:09 +0200
"linux.il via samba" <samba at lists.samba.org> wrote:

> I have CENTOS7 box with Samba 4.8.3-4  and SSSD 1.16.2-13,
> authentication against MS Win domain.

We don't actually support using a Samba Unix domain member with SSSD,
mainly because SSSD isn't a Samba product.

> - Recently, Active Directory authentication stopped working within
> Samba
> - Users who try to connect to reach the point of being prompted for AD
> credentials; failures happen afterward.
> - All flavors of client OS are affected: Windows, Mac and Linux (via
> smbclient).
> - There have been no configuration changes to the system
> (especially/notably smb.conf) in 3+ weeks

If this has just started happening, something must have changed.

> - AD and SSSD continue to work fine within the operating system
> itself (SSH to the server works, can query AD for group information
> via ‘getent group GROUP’, etc.).

Is winbind running ?

> I do see some Kerberos errors into Samba logs:
> [2019/03/20 09:43:48.594230,  0]
> ../source3/libads/kerberos_util.c:74(ads_kinit_password)
>   kerberos_kinit_password LINUX$@EXAMPLE.COM failed: Preauthentication
> failed
> As far as I see from forum suggestions, linux box re-join to the
> domain should fix this issue, but I'm really don't like such manual
> workaround.

Please post your smb.conf


More information about the samba mailing list