Web lists-archives.com

Re: [Samba] samba AD member does not renew kerberos ticket [kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication failed]




On Sat, 11 Aug 2018 14:56:46 +0200
Noël Köthe via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> 
> my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9)
> connected to an AD with one Windows DC and one Samba DC does not renew
> the Kerberos ticket after 10 hours and I need to rejoin the domain.:(
> Another server (runs as print server with the same version) does not
> have this problem.
> 
> Aug 10 20:03:37 bonn winbindd[14698]:   kerberos_kinit_password
> BONN$@DOMAIN.DE failed: Preauthentication failed Aug 10 20:04:26 bonn
> winbindd[14698]:   kerberos_kinit_password BONN$@DOMAIN.DE failed:
> Preauthentication failed Aug 11 06:15:02 bonn winbindd[14698]:
> kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication
> failed Aug 11 06:25:02 bonn winbindd[14698]:
> kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication
> failed
> 
> The configuration files:
> 
> # ls -l /etc/krb*
> -rw-r--r-- 1 root root  142 Aug  7 12:25 /etc/krb5.conf
> -rw------- 1 root root 4012 Aug 11 08:02 /etc/krb5.keytab
> 
> krb5.keytab timestamp is from the last manual join.
> 
> # cat /etc/krb5.conf 
> [libdefaults]
>         default_realm = DOMAIN.DE
> 
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         ticket_lifetime = 24h
>         forwardable = yes
> 
> smb.conf
> [global]
>    netbios name = BONN
>    workgroup = BFDI
>    security = ADS
>    realm = DOMAIN.DE
> 
>    log level = 2 smb:4 winbind:6
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config DOMAIN:backend = ad
>    idmap config DOMAIN:schema_mode = rfc2307
>    idmap config DOMAIN:range = 500-40000

Is 'DOMAIN' a typo ? or did you not bother 'sanitising' 'BFDI' above ?

>    idmap_ldb use:rfc2307 = Yes

Why have you got a line meant for a Samba AD DC in your Unix domain
member smb.conf ?

>    winbind nss info = rfc2307
>    winbind use default domain = yes
>    winbind max clients = 300
>    winbind refresh tickets = Yes
>    template homedir = /srv/samba/users/%U
>    template shell = /bin/bash
> #   username map = /etc/samba/smbusermap
> 
>    wins server = 10.1.1.72
>    dns proxy = yes

You do not need the above two lines.

> 
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    server min protocol = SMB2
> ...
> Then the shares follow
> 
> The logfile when it starts that the user cannot login again.
> 
> [2018/08/11 06:13:00.606138,
> 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child
> daemon request 20 [2018/08/11 06:13:00.606203,
> 3] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
> [14695]: list trusted domains [2018/08/11 06:13:00.606226,
> 3] ../source3/winbindd/winbindd_ads.c:1456(trusted_domains) ads:
> trusted_domains [2018/08/11 06:13:00.607927,
> 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished
> processing child request 20 [2018/08/11 06:15:01.669552,
> 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child
> daemon request 59 [2018/08/11 06:15:01.669624,
> 3] ../source3/winbindd/winbindd_ads.c:1392(sequence_number) ads:
> fetch sequence_number for BFDI [2018/08/11 06:15:02.481002,
> 0] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
> kerberos_kinit_password BONN$@DOMAIN.DE failed: Preauthentication
> failed [2018/08/11 06:15:02.481487,
> 1] ../source3/winbindd/winbindd_ads.c:135(ads_cached_connection_connect)
> ads_connect for domain DOMAIN failed: Preauthentication failed

There is that domain 'DOMAIN' again, is that a clue ??

> [2018/08/11 06:15:02.482231,
> 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished
> processing child request 59 [2018/08/11 06:18:00.611050,
> 4] ../source3/winbindd/winbindd_dual.c:1387(child_handler) child
> daemon request 20
> 
> # net ads join -U Administrator
> ...
> 
> # wbinfo -P
> checking the NETLOGON dc connection to "dc-win.domain.de" succeeded
> 
> # net ads testjoin
> Join is OK
> 
> # net ads info
> LDAP server: 10.1.1.71
> LDAP server name: dc-win.domain.de
> Realm: DOMAIN.DE
> Bind Path: dc=DOMAIN,dc=DE
> LDAP port: 389
> Server time: Sa, 11 Aug 2018 14:24:02 CEST
> KDC server: 10.1.1.71
> Server time offset: 0
> 
> Sadly I have no idea what could be the problem.
> I did a "net ads leave" and join but then 10 hours later the problem
> is there again.

This is undoubtedly a Kerberos problem, but apart for the slight
problems I mentioned above, there doesn't seem to be much wrong.

You could check the time between the Client and DC, also check that the
clients first nameserver is the DC.

If it is a Samba problem then you have little or no chance of getting
it fixed, your version of Samba is EOL as far as Samba is concerned.
You could consider using Louis Van Belle's repo from here:

http://apt.van-belle.nl/

This will get you a much more recent Samba version.

Rowland
 
> 
> Thanks alot for any help.
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba