Re: [Samba] net ads join fails - "Preauthetication failed"
Resending, as I used wrong sender and it doesn't seem to have appeared on the list. The problem is sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now the problem with the double realm name seems to be fixed. I still get the same errors joining (just with the correct realm name). Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in the kerberos part of AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf so my domain maps to a realm name (map ift.uib.no to KLIENT.UIB.NO) and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf I also upgraded kerberos and samba to the versions in the yum develop repo for fc3. samba*-3.0.9-2 and krb5*-1.3.5-2 Now, even with the preauthentication failures when joining I have a working server that authenticates as expected. :-) -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - "Preauthetication failed"
Sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now that problem seems to be fixed, but I still get errors joining. Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger birger wrote: After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - "Preauthetication failed"
birger wrote: net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** I seem to have solved this part of the problem. Stop everything, move aside /var/cache/samba, create a new empty directory and retry. Worked as it should. Now I'm back to my old problems. :-/ -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails - "Preauthetication failed"
After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba