4863 – Kerberos Preauth fails for machine account on join

Bug 4863 - Kerberos Preauth fails for machine account on join

Summary: Kerberos Preauth fails for machine account on join

Status:	RESOLVED DUPLICATE of bug 4866

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	Domain Control (show other bugs)
Version:	3.0.25b
Hardware:	Sparc Solaris

Importance:	P3 major
Target Milestone:	none
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Duplicates (1):	4864 (view as bug list)
Depends on:
Blocks:

Reported:	2007-08-07 06:32 UTC by Alexandr
Modified:	2007-08-20 13:47 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandr 2007-08-07 06:32:14 UTC

in versions after 3.0.24 joining AD domain with ads security failed

# net ads join -U adminuser
adminuser's password:
[2007/08/07 15:05:53, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password adminuser@USR.NW.PWD.RU failed: Preauthentication failed
Failed to join domain: Logon failure

The same configuration samba 3.0.24 works fine..



DETAILS:
SPARC Solaris 10


heimdal kerberos 1.0
[libdefaults]
        default_realm = USR.NW.PWD.RU
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc
        verify_ap_req_nofail = false

[realms]
        USR.NW.PWD.RU = {
                kdc = dcpsk1.usr.nw.PWD.ru:88
                kdc = dcpsk2.usr.nw.PWD.ru:88
                admin_server = dcpsk1.usr.nw.PWD.ru:749
                kpasswd_server = dcpsk1.usr.nw.PWD.ru:464
                kpasswd_protocol = SET_CHANGE
                default_domain = pskov.PWD.ru
        }

[domain_realm]
        usr.nw.PWD.ru = USR.NW.PWD.RU
        .usr.nw.PWD.ru = USR.NW.PWD.RU
        pskov.PWD.ru = USR.NW.PWD.RU
        .pskov.PWD.ru = USR.NW.PWD.RU

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }

		
# kinit adminuser
adminuser@USR.NW.PWD.RU's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: adminuser@USR.NW.PWD.RU

  Issued           Expires          Principal
Aug  7 15:01:01  Aug  8 01:01:01  krbtgt/USR.NW.PWD.RU@USR.NW.PWD.RU


samba configuration:
CONFIGURE_ARGS=--enable-pie                    \
        --localstatedir=/var                    \
        --with-privatedir=/var/samba            \
        --with-lockdir=/var/samba               \
        --with-piddir=/var/run                  \
        --with-configdir=${PREFIX}/etc/samba    \
        --with-logfilebase=/var/log/samba       \
        --with-readline --with-libiconv         \
        --with-ldap --with-ads --with-krb5      \
        --with-pam --with-pam_smbpass           \
        --with-quotas --without-utmp            \
        --with-libmsrpc --with-libsmbclient     \
        --with-libsmbsharemodes                 \
        --with-acl-support --with-aio-support   \
        --with-sendfile-support --with-winbind  \
        --without-python                        \
        --with-shared-modules=idmap_rid,idmap_ad 				\
		--with-libdir=${PREFIX}/lib/samba/sparcv9    			\
        --with-pammodulesdir=${PREFIX}/lib/security/sparcv9     \
        --enable-cups --enable-iprint



smb.conf
[global]

# unix shell

template homedir = /export/home/%U
template shell = /bin/sh

winbind nested groups = yes

log level = 3

# charset
dos charset = 866
unix charset = CP1251
display charset = CP1251

security = ads
password server = 10.7.5.20 10.7.5.25
realm = USR.NW.PWD.RU
workgroup = USR

client use spnego = yes
server string =
os level = 10


domain master = no
preferred master = no
domain logons = no

ntlm auth = no
lanman auth = no
client NTLMv2 auth = yes

wins support = no
wins proxy = no

winbind enum groups = yes
winbind enum users = yes
winbind cache time = 3600
winbind use default domain = Yes
winbind nested groups = yes

allow trusted domains =  No
idmap uid = 2000-100000000
idmap gid = 2000-100000000

idmap backend = rid:"USR=2000-100000000"
nt acl support = yes

# log
log file = /var/log/samba/%m.log
max log size = 50

socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY
use sendfile = Yes
null passwords = Yes
#lock spin count = 100
deadtime = 60

# printing
printing = cups
printcap name = cups
#use client driver = no
load printers = yes


# net ads join -U adminuser
adminuser's password:
[2007/08/07 15:05:53, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password adminuser@USR.NW.PWD.RU failed: Preauthentication failed
Failed to join domain: Logon failure





# net -d 10 ads join -U adminuser
[2007/08/07 15:06:22, 5] lib/debug.c:debug_dump_status(391)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
[2007/08/07 15:06:22, 3] param/loadparm.c:lp_load(5024)
  lp_load: refreshing parameters
[2007/08/07 15:06:22, 3] param/loadparm.c:init_globals(1424)
  Initialising global parameters
[2007/08/07 15:06:22, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/usr/local/etc/samba/smb.conf"
[2007/08/07 15:06:22, 3] param/loadparm.c:do_section(3763)
  Processing section "[global]"
  doing parameter preload modules = /usr/local/lib/samba/idmap/rid.so
  doing parameter template homedir = /export/home/%U
  doing parameter template shell = /bin/sh
  doing parameter winbind nested groups = yes
  doing parameter log level = 3
  doing parameter dos charset = 866
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset UCS-2LE
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset UCS-2LE
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset UTF-16LE
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset UTF-16LE
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset UCS-2BE
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset UCS-2BE
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset UTF-16BE
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset UTF-16BE
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset UTF8
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset UTF8
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset UTF-8
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset UTF-8
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset ASCII
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset ASCII
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset 646
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset 646
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset ISO-8859-1
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset ISO-8859-1
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105)
  Attempting to register new charset UCS2-HEX
[2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113)
  Registered charset UCS2-HEX
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
  doing parameter unix charset = CP1251
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
[2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82)
  Substituting charset 'KOI8-R' for LOCALE
  doing parameter display charset = CP1251
  doing parameter security = ads
  doing parameter password server = 10.7.5.20 10.7.5.25
  doing parameter realm = USR.NW.PWD.RU
  doing parameter workgroup = USR
  doing parameter client use spnego = yes
  doing parameter server string =
  doing parameter os level = 10
  doing parameter domain master = no
  doing parameter preferred master = no
  doing parameter domain logons = no
  doing parameter ntlm auth = no
  doing parameter lanman auth = no
  doing parameter client NTLMv2 auth = yes
  doing parameter wins support = no
  doing parameter wins proxy = no
  doing parameter winbind enum groups = yes
  doing parameter winbind enum users = yes
  doing parameter winbind cache time = 3600
  doing parameter winbind use default domain = Yes
  doing parameter winbind nested groups = yes
  doing parameter allow trusted domains = No
  doing parameter idmap uid = 2000-100000000
  doing parameter idmap gid = 2000-100000000
  doing parameter idmap backend = rid:"USR=2000-100000000"
  doing parameter nt acl support = yes
  doing parameter log file = /var/log/samba/%m.log
  doing parameter max log size = 50
  doing parameter socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY
  doing parameter use sendfile = Yes
  doing parameter null passwords = Yes
  doing parameter deadtime = 60
  doing parameter printing = cups
  doing parameter printcap name = cups
  doing parameter load printers = yes
[2007/08/07 15:06:22, 4] param/loadparm.c:lp_load(5055)
  pm_process() returned Yes
[2007/08/07 15:06:22, 7] param/loadparm.c:lp_servicenumber(5193)
  lp_servicenumber: couldn't find homes
[2007/08/07 15:06:22, 10] param/loadparm.c:set_server_role(4299)
  set_server_role: role = ROLE_DOMAIN_MEMBER
[2007/08/07 15:06:22, 5] lib/util.c:init_names(287)
  Netbios name list:-
  my_netbios_names[0]="PENELOPAOLD"
[2007/08/07 15:06:22, 2] lib/interface.c:add_interface(81)
  added interface ip=10.7.5.2 bcast=10.7.5.255 nmask=255.255.255.0
[2007/08/07 15:06:22, 5] lib/gencache.c:gencache_init(61)
  Opening cache file at /var/samba/gencache.tdb
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 4] libsmb/namequery_dc.c:ads_dc_name(73)
  ads_dc_name: domain=USR
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 6] libads/ldap.c:ads_find_dc(294)
  ads_find_dc: looking for realm 'USR.NW.PWD.RU'
[2007/08/07 15:06:22, 8] libsmb/namequery.c:get_sorted_dc_list(1626)
  get_sorted_dc_list: attempting lookup for name USR.NW.PWD.RU (sitename Pskov) using [ads]
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = SAF/DOMAIN/USR.NW.PWD.RU, value = 10.7.5.20, timeout = Tue Aug  7 15:20:53 2007
[2007/08/07 15:06:22, 5] libsmb/namequery.c:saf_fetch(136)
  saf_fetch: Returning "10.7.5.20" for "USR.NW.PWD.RU" domain
[2007/08/07 15:06:22, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] libsmb/namequery.c:remove_duplicate_addrs2(435)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.7.5.20:389 10.7.5.25:389
[2007/08/07 15:06:22, 5] libads/ldap.c:ads_try_connect(180)
  ads_try_connect: sending CLDAP request to 10.7.5.20 (realm: USR.NW.PWD.RU)
[2007/08/07 15:06:22, 10] libads/dns.c:sitename_store(640)
  sitename_store: realm = [USR.NW.PWD.RU], sitename = [Pskov], expire = [4294967295]
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_set(140)
  Adding cache entry with key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU; value = Pskov and timeout = (NULL) (-1186484783 seconds ahead)
[2007/08/07 15:06:22, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.7.5.20
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] libads/ldap.c:ads_closest_dc(149)
  ads_closest_dc: ADS_CLOSEST flag set
[2007/08/07 15:06:22, 10] libads/kerberos.c:create_local_private_krb5_conf_for_domain(612)
  create_local_private_krb5_conf_for_domain: fname = /var/samba/smb_krb5/krb5.conf.USR, realm = USR.NW.PWD.RU, domain = USR
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = SAF/DOMAIN/USR.NW.PWD.RU, value = 10.7.5.20, timeout = Tue Aug  7 15:20:53 2007
[2007/08/07 15:06:22, 5] libsmb/namequery.c:saf_fetch(136)
  saf_fetch: Returning "10.7.5.20" for "USR.NW.PWD.RU" domain
[2007/08/07 15:06:22, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] libsmb/namequery.c:remove_duplicate_addrs2(435)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.7.5.20:389 10.7.5.25:389
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = SAF/DOMAIN/USR.NW.PWD.RU, value = 10.7.5.20, timeout = Tue Aug  7 15:20:53 2007
[2007/08/07 15:06:22, 5] libsmb/namequery.c:saf_fetch(136)
  saf_fetch: Returning "10.7.5.20" for "USR.NW.PWD.RU" domain
[2007/08/07 15:06:22, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:22, 10] libsmb/namequery.c:remove_duplicate_addrs2(435)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.7.5.20:389 10.7.5.25:389
[2007/08/07 15:06:22, 10] libads/kerberos.c:get_kdc_ip_string(563)
  get_kdc_ip_string: Returning  kdc = 10.7.5.20
        kdc = 10.7.5.25
        kdc = 10.7.5.25

[2007/08/07 15:06:22, 5] libads/kerberos.c:create_local_private_krb5_conf_for_domain(681)
  create_local_private_krb5_conf_for_domain: wrote file /var/samba/smb_krb5/krb5.conf.USR with realm USR.NW.PWD.RU KDC = 10.7.5.20
[2007/08/07 15:06:22, 4] libsmb/namequery_dc.c:ads_dc_name(131)
  ads_dc_name: using server='DCPSK1.USR.NW.PWD.RU' IP=10.7.5.20
adminuser's password:
[2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:25, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:25, 6] libads/ldap.c:ads_find_dc(294)
  ads_find_dc: looking for realm 'USR.NW.PWD.RU'
[2007/08/07 15:06:25, 8] libsmb/namequery.c:get_sorted_dc_list(1626)
  get_sorted_dc_list: attempting lookup for name USR.NW.PWD.RU (sitename Pskov) using [ads]
[2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = SAF/DOMAIN/USR.NW.PWD.RU, value = 10.7.5.20, timeout = Tue Aug  7 15:20:53 2007
[2007/08/07 15:06:25, 5] libsmb/namequery.c:saf_fetch(136)
  saf_fetch: Returning "10.7.5.20" for "USR.NW.PWD.RU" domain
[2007/08/07 15:06:25, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:25, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:25, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226)
  Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb  7 09:28:15 2106
[2007/08/07 15:06:25, 5] libads/dns.c:sitename_fetch(679)
  sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov"
[2007/08/07 15:06:25, 10] libsmb/namequery.c:remove_duplicate_addrs2(435)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2007/08/07 15:06:25, 4] libsmb/namequery.c:get_dc_list(1599)
  get_dc_list: returning 2 ip addresses in an ordered list
[2007/08/07 15:06:25, 4] libsmb/namequery.c:get_dc_list(1600)
  get_dc_list: 10.7.5.20:389 10.7.5.25:389
[2007/08/07 15:06:25, 5] libads/ldap.c:ads_try_connect(180)
  ads_try_connect: sending CLDAP request to 10.7.5.20 (realm: USR.NW.PWD.RU)
[2007/08/07 15:06:25, 10] libads/dns.c:sitename_store(640)
  sitename_store: realm = [USR.NW.PWD.RU], sitename = [Pskov], expire = [4294967295]
[2007/08/07 15:06:25, 10] lib/gencache.c:gencache_set(140)
  Adding cache entry with key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU; value = Pskov and timeout = (NULL) (-1186484786 seconds ahead)
[2007/08/07 15:06:25, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.7.5.20
[2007/08/07 15:06:25, 10] libads/ldap.c:ads_closest_dc(149)
  ads_closest_dc: ADS_CLOSEST flag set
[2007/08/07 15:06:25, 10] libsmb/namequery.c:saf_store(74)
  saf_store: domain = [USR], server = [10.7.5.20], expire = [1186485685]
[2007/08/07 15:06:25, 10] lib/gencache.c:gencache_set(140)
  Adding cache entry with key = SAF/DOMAIN/USR; value = 10.7.5.20 and timeout = Tue Aug  7 15:21:25 2007
   (900 seconds ahead)
[2007/08/07 15:06:25, 10] libsmb/namequery.c:saf_store(74)
  saf_store: domain = [USR.NW.PWD.RU], server = [10.7.5.20], expire = [1186485685]
[2007/08/07 15:06:25, 10] lib/gencache.c:gencache_set(140)
  Adding cache entry with key = SAF/DOMAIN/USR.NW.PWD.RU; value = 10.7.5.20 and timeout = Tue Aug  7 15:21:25 2007
   (900 seconds ahead)
[2007/08/07 15:06:25, 4] libads/ldap.c:ads_current_time(2414)
  time offset is 0 seconds
[2007/08/07 15:06:25, 4] libads/sasl.c:ads_sasl_bind(521)
  Found SASL mechanism GSS-SPNEGO
[2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = dcpsk1$@USR.NW.PWD.RU
[2007/08/07 15:06:25, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2007/08/07 15:06:25, 10] libads/sasl.c:ads_sasl_spnego_bind(262)
  ads_sasl_spnego_krb5_bind failed with: No such file or directory, calling kinit
[2007/08/07 15:06:25, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
  kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/samba/smb_krb5/krb5.conf.USR]
[2007/08/07 15:06:25, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password adminuser@USR.NW.PWD.RU failed: Preauthentication failed
[2007/08/07 15:06:25, 1] utils/net_ads.c:net_ads_join(1470)
  error on ads_startup: Preauthentication failed
Failed to join domain: Logon failure
[2007/08/07 15:06:25, 2] utils/net.c:main(1032)
  return code = -1

Comment 1 Guenther Deschner 2007-08-08 05:18:53 UTC

*** Bug 4864 has been marked as a duplicate of this bug. ***

Comment 2 Guenther Deschner 2007-08-08 05:21:45 UTC

Can you please check other callers of the samba's kinit routines, like

net ads search cn=adminuser -U adminuser

to see if that fails as well?

Comment 3 Alexandr 2007-08-08 05:35:07 UTC

samba 3.0.24
# net ads search cn=adminuser -U adminuser
adminuser's password:

Got 0 replies


bun in my AD cn="user S family" in UTF8

# net ads search samaccountname=adminuser -U adminuser
adminuser's password:

Got 1 replies

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Домен Админ
sn: Surname
description: домен админы
givenName: Alex
distinguishedName: CN=Домен Админ,OU=Special USERS,DC=USR,DC=NW,DC=PWD,DC=RU
instanceType: 4
whenCreated: 20061113073414.0Z
whenChanged: 20070806120045.0Z
displayName: Домен Админ
uSNCreated: 17758
memberOf: CN=Domain Admins,CN=Users,DC=USR,DC=NW,DC=PWD,DC=RU
uSNChanged: 951909
name: Домен Админ
objectGUID: bf78248d-6c04-44d2-9401-457eceb29028
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 128310424585173278
lastLogon: 128310426258777739
pwdLastSet: 128078769751928205
primaryGroupID: 513
objectSid: S-1-5-21-3474789294-4143071810-677332441-12334
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 495
sAMAccountName: adminuser
sAMAccountType: 805306368
userPrincipalName: adminuser@USR.NW.PWD.RU
servicePrincipalName: MSSQLSvc/psus.USR.NW.PWD.RU:1433
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=NW,DC=PWD,DC=RU


samba 3.0.25b
# net ads search cn=adminuser -U adminuser
adminuser's password:
[2007/08/08 14:27:38, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password adminuser@PWD.NW.MTS.RU failed: Preauthentication failed
[2007/08/08 14:27:38, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password adminuser@PWD.NW.MTS.RU failed: Preauthentication failed

Comment 4 Guenther Deschner 2007-08-09 05:49:13 UTC

adminuser@USR.NW.PWD.RU != adminuser@PWD.NW.MTS.RU

that is causing the failure.

You samba server is configured to join into USR.NW.PWD.RU while samba 3.0.25b tries to auth with PWD.NW.MTS.RU. Any idea where PWD.NW.MTS.RU could come from?
Maybe you can describe your setup a little more so that we understand what is going on there.

Comment 5 Alexandr 2007-08-09 06:04:32 UTC

(In reply to comment #4)
> adminuser@USR.NW.PWD.RU != adminuser@PWD.NW.MTS.RU

This is just my posting bug. I was trying to hide MTS domain with my text editor
But.......    :)

Comment 6 Nicolas Dorfsman (mail address dead) 2007-08-17 06:50:37 UTC

I have the same symptom with a fresh new install.

	kinit is working fine with any AD User.

	Join with a none-privileged user shout with - Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) -
	Great.

	JOIN with a Administrator user gives me :

[2007/08/16 17:21:49, 0] libads/kerberos.c:(228)
  kerberos_kinit_password myuser@AD.PLOUF.NET failed: Preauthentication failed
Failed to join domain: Logon failure

   I'm currently compiling 3.0.23d to check.

Comment 7 Nicolas Dorfsman (mail address dead) 2007-08-17 09:07:23 UTC

It's a fact.

Works fine in 3.0.24 .  Buggy in 3.0.25

Comment 8 Gerald (Jerry) Carter (dead mail address) 2007-08-17 10:25:56 UTC

Please don't past log files inline as comments....

Comment 9 Nicolas Dorfsman (mail address dead) 2007-08-17 10:34:27 UTC

I don't use Heimdal.

I'm using MIT kerberos 5 1.6.2

Can't be linked to heimdal.

Comment 10 Alexandr 2007-08-20 00:27:22 UTC

(In reply to comment #9)
> I don't use Heimdal.
> 
> I'm using MIT kerberos 5 1.6.2
> 
> Can't be linked to heimdal.
> 

 It doesn't depend on Kerberos vendor.
Tests was done with native Solaris KRB packages, Heimdal, and MIT.

Comment 11 Nicolas Dorfsman (mail address dead) 2007-08-20 03:56:30 UTC

Ok, DC versions :

- Windows Server 2003 SP1  + security patches
- Active Directory 
    Domain functional level : Windows Server 2003
    Forest functional level : Windows 2000


PS:
Could somebody change summary of this bug ?

Comment 12 Nicolas Dorfsman (mail address dead) 2007-08-20 04:17:30 UTC

It works with a 8 characters password !

Comment 13 Gerald (Jerry) Carter (dead mail address) 2007-08-20 06:52:25 UTC

Is everyone on ethis bug using Solaris?

Comment 14 Alexandr 2007-08-20 07:05:41 UTC

I am, bug intiator....

Comment 15 Gerald (Jerry) Carter (dead mail address) 2007-08-20 13:47:04 UTC

From the samba ml, it appears this is the 8 character limitation on 
Solaris.

*** This bug has been marked as a duplicate of 4866 ***