[Samba] samba AD problem after re-join domain

Jason Keltz jas at eecs.yorku.ca
Mon Oct 12 01:54:54 UTC 2020 

I've been working on a Samba AD setup with a bunch of test machines - 
the one DC, and a bunch of clients.  Last night, I ended up switching 
the name of the test machines temporarily (except the DC), and 
re-joining the domain (that's for another e-mail later).  When things 
didn't work the way I had planned,  I switched the hostnames back, and 
re-joined the domain today on all the test machines.  I was shocked to 
find that I am only able to login to the domain on one of my hosts.  It 
fails on all the other ones.  I ensured that I deleted the machine 
entries from AD.  I haven't changed my Samba config in months which 
Rowland had last verified was fine.  I haven't changed my /etc/krb5.conf 
Kerberos config in months.  I even did a complete rebuild of one of the 
machines since I automated the installation process, and that rebuild 
was working perfectly many many times, but now it is failed.  In winbind 
log every time I try to login I'm mostly seeing:

[2020/10/11 21:33:45.498701,  1, pid=3637, effective(1004, 0), 
real(1004, 0)] ../../source3/libads/authdata.c:177(kerberos_return_pac)
   kinit failed for 'jas at AD.EECS.YORKU.CA' with: Preauthentication 
failed (-1765328360)

.. which clearly doesn't make sense given that the net ads join 
completed successfully, the computer entry is there, just like before.  
In fact, I can login to the system console as root, then do a "kinit 
jas", and it gets a ticket just fine so the system is able to talk to 
the DC.   Winbind is unhappy about something, but I just can't figure 
out what that is.  On the DC, I can still query all the users, groups, etc.

    I enabled log level 3 and get:

[2020/10/11 21:33:45.426469,  3, pid=3637, effective(0, 0), real(0, 0)] 
../../source3/winbindd/winbindd_pam.c:2089(winbindd_dual_pam_auth)
   [ 3635]: dual pam auth EECSYORKUCA\jas
[2020/10/11 21:33:45.498701,  1, pid=3637, effective(1004, 0), 
real(1004, 0)] ../../source3/libads/authdata.c:177(kerberos_return_pac)
   kinit failed for 'jas at AD.EECS.YORKU.CA' with: Preauthentication 
failed (-1765328360)
[2020/10/11 21:33:45.498763,  2, pid=3637, effective(0, 0), real(0, 0)] 
../../source3/winbindd/winbindd_pam.c:2410(winbindd_dual_pam_auth)
   Plain-text authentication for user EECSYORKUCA\jas returned 
NT_STATUS_LOGON_FAILURE (PAM: 7)
[2020/10/11 21:33:45.498779,  3, pid=3637, effective(0, 0), real(0, 0)] 
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
   string_to_sid: SID  is not in a valid format
[2020/10/11 21:33:45.498807,  2, pid=3637, effective(0, 0), real(0, 0)] 
../../auth/auth_log.c:653(log_authentication_event_human_readable)
   Auth: [winbind,PAM_AUTH, nss_winbind, 3635] user [EECSYORKUCA]\[jas] 
at [Sun, 11 Oct 2020 21:33:45.498795 EDT] with [Plaintext] status [NT_ST
ATUS_LOGON_FAILURE] workstation [(null)] remote host [unix:] mapped to 
[(null)]\[(null)]. local host [unix:]
   {"timestamp": "2020-10-11T21:33:45.498912-0400", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId":
  4625, "logonId": "c6dad50c7ecbb3a4", "logonType": 8, "status": 
"NT_STATUS_LOGON_FAILURE", "localAddress": "unix:", "remoteAddress": 
"unix:", "
serviceDescription": "winbind", "authDescription": "PAM_AUTH, 
nss_winbind, 3635", "clientDomain": "EECSYORKUCA", "clientAccount": 
"jas", "works
tation": null, "becameAccount": "", "becameDomain": "", "becameSid": 
null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": nul
l, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "pass
wordType": "Plaintext", "duration": 72496}}
[2020/10/11 21:33:48.636206,  3, pid=3637, effective(0, 0), real(0, 0)] 
../../source3/winbindd/winbindd_pam.c:2089(winbindd_dual_pam_auth)
   [ 3635]: dual pam auth EECSYORKUCA\jas
[2020/10/11 21:33:48.726636,  1, pid=3637, effective(1004, 0), 
real(1004, 0)] ../../source3/libads/authdata.c:177(kerberos_return_pac)
   kinit failed for 'jas at AD.EECS.YORKU.CA' with: Preauthentication 
failed (-1765328360)
[2020/10/11 21:33:48.726690,  2, pid=3637, effective(0, 0), real(0, 0)] 
../../source3/winbindd/winbindd_pam.c:2410(winbindd_dual_pam_auth)
   Plain-text authentication for user EECSYORKUCA\jas returned 
NT_STATUS_LOGON_FAILURE (PAM: 7)
[2020/10/11 21:33:48.726705,  3, pid=3637, effective(0, 0), real(0, 0)] 
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
   string_to_sid: SID  is not in a valid format

I don't know if that SID error is the problem, but I've seen that in 
other debug logs before, so I think it's probably not.

One the one system that works, I'm seeing the following error in the log:

../../source3/librpc/crypto/gse_krb5.c:417: krb5_kt_start_seq_get failed 
(Permission denied)
[2020/10/11 20:54:46.663685,  3, pid=26219, effective(4481, 0), 
real(4481, 0)] 
../../source3/librpc/crypto/gse_krb5.c:577(gse_krb5_get_server_keytab)
   ../../source3/librpc/crypto/gse_krb5.c:577: Warning! Unable to set 
mem keytab from system keytab!

Any thoughts?  I've just spent the last 9 hours looking at this on a 
Sunday of a holiday weekend and have unfortunately not got anywhere.

Jason.

More information about the samba mailing list