in versions after 3.0.24 joining AD domain with ads security failed # net ads join -U adminuser adminuser's password: [2007/08/07 15:05:53, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password adminuser@USR.NW.PWD.RU failed: Preauthentication failed Failed to join domain: Logon failure The same configuration samba 3.0.24 works fine.. DETAILS: SPARC Solaris 10 heimdal kerberos 1.0 [libdefaults] default_realm = USR.NW.PWD.RU dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = des-cbc-md5 des-cbc-crc default_tgs_enctypes = des-cbc-md5 des-cbc-crc verify_ap_req_nofail = false [realms] USR.NW.PWD.RU = { kdc = dcpsk1.usr.nw.PWD.ru:88 kdc = dcpsk2.usr.nw.PWD.ru:88 admin_server = dcpsk1.usr.nw.PWD.ru:749 kpasswd_server = dcpsk1.usr.nw.PWD.ru:464 kpasswd_protocol = SET_CHANGE default_domain = pskov.PWD.ru } [domain_realm] usr.nw.PWD.ru = USR.NW.PWD.RU .usr.nw.PWD.ru = USR.NW.PWD.RU pskov.PWD.ru = USR.NW.PWD.RU .pskov.PWD.ru = USR.NW.PWD.RU [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { # How often to rotate kdc.log. Logs will get rotated no more # often than the period, and less often if the KDC is not used # frequently. period = 1d # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } # kinit adminuser adminuser@USR.NW.PWD.RU's Password: # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: adminuser@USR.NW.PWD.RU Issued Expires Principal Aug 7 15:01:01 Aug 8 01:01:01 krbtgt/USR.NW.PWD.RU@USR.NW.PWD.RU samba configuration: CONFIGURE_ARGS=--enable-pie \ --localstatedir=/var \ --with-privatedir=/var/samba \ --with-lockdir=/var/samba \ --with-piddir=/var/run \ --with-configdir=${PREFIX}/etc/samba \ --with-logfilebase=/var/log/samba \ --with-readline --with-libiconv \ --with-ldap --with-ads --with-krb5 \ --with-pam --with-pam_smbpass \ --with-quotas --without-utmp \ --with-libmsrpc --with-libsmbclient \ --with-libsmbsharemodes \ --with-acl-support --with-aio-support \ --with-sendfile-support --with-winbind \ --without-python \ --with-shared-modules=idmap_rid,idmap_ad \ --with-libdir=${PREFIX}/lib/samba/sparcv9 \ --with-pammodulesdir=${PREFIX}/lib/security/sparcv9 \ --enable-cups --enable-iprint smb.conf [global] # unix shell template homedir = /export/home/%U template shell = /bin/sh winbind nested groups = yes log level = 3 # charset dos charset = 866 unix charset = CP1251 display charset = CP1251 security = ads password server = 10.7.5.20 10.7.5.25 realm = USR.NW.PWD.RU workgroup = USR client use spnego = yes server string = os level = 10 domain master = no preferred master = no domain logons = no ntlm auth = no lanman auth = no client NTLMv2 auth = yes wins support = no wins proxy = no winbind enum groups = yes winbind enum users = yes winbind cache time = 3600 winbind use default domain = Yes winbind nested groups = yes allow trusted domains = No idmap uid = 2000-100000000 idmap gid = 2000-100000000 idmap backend = rid:"USR=2000-100000000" nt acl support = yes # log log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY use sendfile = Yes null passwords = Yes #lock spin count = 100 deadtime = 60 # printing printing = cups printcap name = cups #use client driver = no load printers = yes # net ads join -U adminuser adminuser's password: [2007/08/07 15:05:53, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password adminuser@USR.NW.PWD.RU failed: Preauthentication failed Failed to join domain: Logon failure # net -d 10 ads join -U adminuser [2007/08/07 15:06:22, 5] lib/debug.c:debug_dump_status(391) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 [2007/08/07 15:06:22, 3] param/loadparm.c:lp_load(5024) lp_load: refreshing parameters [2007/08/07 15:06:22, 3] param/loadparm.c:init_globals(1424) Initialising global parameters [2007/08/07 15:06:22, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/usr/local/etc/samba/smb.conf" [2007/08/07 15:06:22, 3] param/loadparm.c:do_section(3763) Processing section "[global]" doing parameter preload modules = /usr/local/lib/samba/idmap/rid.so doing parameter template homedir = /export/home/%U doing parameter template shell = /bin/sh doing parameter winbind nested groups = yes doing parameter log level = 3 doing parameter dos charset = 866 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2LE [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2LE [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16LE [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16LE [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2BE [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2BE [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16BE [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16BE [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF8 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF8 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-8 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-8 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ASCII [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset ASCII [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset 646 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset 646 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ISO-8859-1 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset ISO-8859-1 [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS2-HEX [2007/08/07 15:06:22, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS2-HEX [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE doing parameter unix charset = CP1251 [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE [2007/08/07 15:06:22, 5] lib/charcnv.c:charset_name(82) Substituting charset 'KOI8-R' for LOCALE doing parameter display charset = CP1251 doing parameter security = ads doing parameter password server = 10.7.5.20 10.7.5.25 doing parameter realm = USR.NW.PWD.RU doing parameter workgroup = USR doing parameter client use spnego = yes doing parameter server string = doing parameter os level = 10 doing parameter domain master = no doing parameter preferred master = no doing parameter domain logons = no doing parameter ntlm auth = no doing parameter lanman auth = no doing parameter client NTLMv2 auth = yes doing parameter wins support = no doing parameter wins proxy = no doing parameter winbind enum groups = yes doing parameter winbind enum users = yes doing parameter winbind cache time = 3600 doing parameter winbind use default domain = Yes doing parameter winbind nested groups = yes doing parameter allow trusted domains = No doing parameter idmap uid = 2000-100000000 doing parameter idmap gid = 2000-100000000 doing parameter idmap backend = rid:"USR=2000-100000000" doing parameter nt acl support = yes doing parameter log file = /var/log/samba/%m.log doing parameter max log size = 50 doing parameter socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY doing parameter use sendfile = Yes doing parameter null passwords = Yes doing parameter deadtime = 60 doing parameter printing = cups doing parameter printcap name = cups doing parameter load printers = yes [2007/08/07 15:06:22, 4] param/loadparm.c:lp_load(5055) pm_process() returned Yes [2007/08/07 15:06:22, 7] param/loadparm.c:lp_servicenumber(5193) lp_servicenumber: couldn't find homes [2007/08/07 15:06:22, 10] param/loadparm.c:set_server_role(4299) set_server_role: role = ROLE_DOMAIN_MEMBER [2007/08/07 15:06:22, 5] lib/util.c:init_names(287) Netbios name list:- my_netbios_names[0]="PENELOPAOLD" [2007/08/07 15:06:22, 2] lib/interface.c:add_interface(81) added interface ip=10.7.5.2 bcast=10.7.5.255 nmask=255.255.255.0 [2007/08/07 15:06:22, 5] lib/gencache.c:gencache_init(61) Opening cache file at /var/samba/gencache.tdb [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 4] libsmb/namequery_dc.c:ads_dc_name(73) ads_dc_name: domain=USR [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 6] libads/ldap.c:ads_find_dc(294) ads_find_dc: looking for realm 'USR.NW.PWD.RU' [2007/08/07 15:06:22, 8] libsmb/namequery.c:get_sorted_dc_list(1626) get_sorted_dc_list: attempting lookup for name USR.NW.PWD.RU (sitename Pskov) using [ads] [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = SAF/DOMAIN/USR.NW.PWD.RU, value = 10.7.5.20, timeout = Tue Aug 7 15:20:53 2007 [2007/08/07 15:06:22, 5] libsmb/namequery.c:saf_fetch(136) saf_fetch: Returning "10.7.5.20" for "USR.NW.PWD.RU" domain [2007/08/07 15:06:22, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] libsmb/namequery.c:remove_duplicate_addrs2(435) remove_duplicate_addrs2: looking for duplicate address/port pairs [2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.7.5.20:389 10.7.5.25:389 [2007/08/07 15:06:22, 5] libads/ldap.c:ads_try_connect(180) ads_try_connect: sending CLDAP request to 10.7.5.20 (realm: USR.NW.PWD.RU) [2007/08/07 15:06:22, 10] libads/dns.c:sitename_store(640) sitename_store: realm = [USR.NW.PWD.RU], sitename = [Pskov], expire = [4294967295] [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_set(140) Adding cache entry with key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU; value = Pskov and timeout = (NULL) (-1186484783 seconds ahead) [2007/08/07 15:06:22, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.7.5.20 [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] libads/ldap.c:ads_closest_dc(149) ads_closest_dc: ADS_CLOSEST flag set [2007/08/07 15:06:22, 10] libads/kerberos.c:create_local_private_krb5_conf_for_domain(612) create_local_private_krb5_conf_for_domain: fname = /var/samba/smb_krb5/krb5.conf.USR, realm = USR.NW.PWD.RU, domain = USR [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = SAF/DOMAIN/USR.NW.PWD.RU, value = 10.7.5.20, timeout = Tue Aug 7 15:20:53 2007 [2007/08/07 15:06:22, 5] libsmb/namequery.c:saf_fetch(136) saf_fetch: Returning "10.7.5.20" for "USR.NW.PWD.RU" domain [2007/08/07 15:06:22, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] libsmb/namequery.c:remove_duplicate_addrs2(435) remove_duplicate_addrs2: looking for duplicate address/port pairs [2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.7.5.20:389 10.7.5.25:389 [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = SAF/DOMAIN/USR.NW.PWD.RU, value = 10.7.5.20, timeout = Tue Aug 7 15:20:53 2007 [2007/08/07 15:06:22, 5] libsmb/namequery.c:saf_fetch(136) saf_fetch: Returning "10.7.5.20" for "USR.NW.PWD.RU" domain [2007/08/07 15:06:22, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:22, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:22, 10] libsmb/namequery.c:remove_duplicate_addrs2(435) remove_duplicate_addrs2: looking for duplicate address/port pairs [2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2007/08/07 15:06:22, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.7.5.20:389 10.7.5.25:389 [2007/08/07 15:06:22, 10] libads/kerberos.c:get_kdc_ip_string(563) get_kdc_ip_string: Returning kdc = 10.7.5.20 kdc = 10.7.5.25 kdc = 10.7.5.25 [2007/08/07 15:06:22, 5] libads/kerberos.c:create_local_private_krb5_conf_for_domain(681) create_local_private_krb5_conf_for_domain: wrote file /var/samba/smb_krb5/krb5.conf.USR with realm USR.NW.PWD.RU KDC = 10.7.5.20 [2007/08/07 15:06:22, 4] libsmb/namequery_dc.c:ads_dc_name(131) ads_dc_name: using server='DCPSK1.USR.NW.PWD.RU' IP=10.7.5.20 adminuser's password: [2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:25, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:25, 6] libads/ldap.c:ads_find_dc(294) ads_find_dc: looking for realm 'USR.NW.PWD.RU' [2007/08/07 15:06:25, 8] libsmb/namequery.c:get_sorted_dc_list(1626) get_sorted_dc_list: attempting lookup for name USR.NW.PWD.RU (sitename Pskov) using [ads] [2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = SAF/DOMAIN/USR.NW.PWD.RU, value = 10.7.5.20, timeout = Tue Aug 7 15:20:53 2007 [2007/08/07 15:06:25, 5] libsmb/namequery.c:saf_fetch(136) saf_fetch: Returning "10.7.5.20" for "USR.NW.PWD.RU" domain [2007/08/07 15:06:25, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25" [2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:25, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:25, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:25, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU, value = Pskov, timeout = Sun Feb 7 09:28:15 2106 [2007/08/07 15:06:25, 5] libads/dns.c:sitename_fetch(679) sitename_fetch: Returning sitename for USR.NW.PWD.RU: "Pskov" [2007/08/07 15:06:25, 10] libsmb/namequery.c:remove_duplicate_addrs2(435) remove_duplicate_addrs2: looking for duplicate address/port pairs [2007/08/07 15:06:25, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2007/08/07 15:06:25, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.7.5.20:389 10.7.5.25:389 [2007/08/07 15:06:25, 5] libads/ldap.c:ads_try_connect(180) ads_try_connect: sending CLDAP request to 10.7.5.20 (realm: USR.NW.PWD.RU) [2007/08/07 15:06:25, 10] libads/dns.c:sitename_store(640) sitename_store: realm = [USR.NW.PWD.RU], sitename = [Pskov], expire = [4294967295] [2007/08/07 15:06:25, 10] lib/gencache.c:gencache_set(140) Adding cache entry with key = AD_SITENAME/DOMAIN/USR.NW.PWD.RU; value = Pskov and timeout = (NULL) (-1186484786 seconds ahead) [2007/08/07 15:06:25, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.7.5.20 [2007/08/07 15:06:25, 10] libads/ldap.c:ads_closest_dc(149) ads_closest_dc: ADS_CLOSEST flag set [2007/08/07 15:06:25, 10] libsmb/namequery.c:saf_store(74) saf_store: domain = [USR], server = [10.7.5.20], expire = [1186485685] [2007/08/07 15:06:25, 10] lib/gencache.c:gencache_set(140) Adding cache entry with key = SAF/DOMAIN/USR; value = 10.7.5.20 and timeout = Tue Aug 7 15:21:25 2007 (900 seconds ahead) [2007/08/07 15:06:25, 10] libsmb/namequery.c:saf_store(74) saf_store: domain = [USR.NW.PWD.RU], server = [10.7.5.20], expire = [1186485685] [2007/08/07 15:06:25, 10] lib/gencache.c:gencache_set(140) Adding cache entry with key = SAF/DOMAIN/USR.NW.PWD.RU; value = 10.7.5.20 and timeout = Tue Aug 7 15:21:25 2007 (900 seconds ahead) [2007/08/07 15:06:25, 4] libads/ldap.c:ads_current_time(2414) time offset is 0 seconds [2007/08/07 15:06:25, 4] libads/sasl.c:ads_sasl_bind(521) Found SASL mechanism GSS-SPNEGO [2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/08/07 15:06:25, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = dcpsk1$@USR.NW.PWD.RU [2007/08/07 15:06:25, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2007/08/07 15:06:25, 10] libads/sasl.c:ads_sasl_spnego_bind(262) ads_sasl_spnego_krb5_bind failed with: No such file or directory, calling kinit [2007/08/07 15:06:25, 10] libads/kerberos.c:kerberos_kinit_password_ext(91) kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/samba/smb_krb5/krb5.conf.USR] [2007/08/07 15:06:25, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password adminuser@USR.NW.PWD.RU failed: Preauthentication failed [2007/08/07 15:06:25, 1] utils/net_ads.c:net_ads_join(1470) error on ads_startup: Preauthentication failed Failed to join domain: Logon failure [2007/08/07 15:06:25, 2] utils/net.c:main(1032) return code = -1
*** Bug 4864 has been marked as a duplicate of this bug. ***
Can you please check other callers of the samba's kinit routines, like net ads search cn=adminuser -U adminuser to see if that fails as well?
samba 3.0.24 # net ads search cn=adminuser -U adminuser adminuser's password: Got 0 replies bun in my AD cn="user S family" in UTF8 # net ads search samaccountname=adminuser -U adminuser adminuser's password: Got 1 replies objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Домен Админ sn: Surname description: домен админы givenName: Alex distinguishedName: CN=Домен Админ,OU=Special USERS,DC=USR,DC=NW,DC=PWD,DC=RU instanceType: 4 whenCreated: 20061113073414.0Z whenChanged: 20070806120045.0Z displayName: Домен Админ uSNCreated: 17758 memberOf: CN=Domain Admins,CN=Users,DC=USR,DC=NW,DC=PWD,DC=RU uSNChanged: 951909 name: Домен Админ objectGUID: bf78248d-6c04-44d2-9401-457eceb29028 userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 128310424585173278 lastLogon: 128310426258777739 pwdLastSet: 128078769751928205 primaryGroupID: 513 objectSid: S-1-5-21-3474789294-4143071810-677332441-12334 adminCount: 1 accountExpires: 9223372036854775807 logonCount: 495 sAMAccountName: adminuser sAMAccountType: 805306368 userPrincipalName: adminuser@USR.NW.PWD.RU servicePrincipalName: MSSQLSvc/psus.USR.NW.PWD.RU:1433 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=NW,DC=PWD,DC=RU samba 3.0.25b # net ads search cn=adminuser -U adminuser adminuser's password: [2007/08/08 14:27:38, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password adminuser@PWD.NW.MTS.RU failed: Preauthentication failed [2007/08/08 14:27:38, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password adminuser@PWD.NW.MTS.RU failed: Preauthentication failed
adminuser@USR.NW.PWD.RU != adminuser@PWD.NW.MTS.RU that is causing the failure. You samba server is configured to join into USR.NW.PWD.RU while samba 3.0.25b tries to auth with PWD.NW.MTS.RU. Any idea where PWD.NW.MTS.RU could come from? Maybe you can describe your setup a little more so that we understand what is going on there.
(In reply to comment #4) > adminuser@USR.NW.PWD.RU != adminuser@PWD.NW.MTS.RU This is just my posting bug. I was trying to hide MTS domain with my text editor But....... :)
I have the same symptom with a fresh new install. kinit is working fine with any AD User. Join with a none-privileged user shout with - Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) - Great. JOIN with a Administrator user gives me : [2007/08/16 17:21:49, 0] libads/kerberos.c:(228) kerberos_kinit_password myuser@AD.PLOUF.NET failed: Preauthentication failed Failed to join domain: Logon failure I'm currently compiling 3.0.23d to check.
It's a fact. Works fine in 3.0.24 . Buggy in 3.0.25
Please don't past log files inline as comments....
I don't use Heimdal. I'm using MIT kerberos 5 1.6.2 Can't be linked to heimdal.
(In reply to comment #9) > I don't use Heimdal. > > I'm using MIT kerberos 5 1.6.2 > > Can't be linked to heimdal. > It doesn't depend on Kerberos vendor. Tests was done with native Solaris KRB packages, Heimdal, and MIT.
Ok, DC versions : - Windows Server 2003 SP1 + security patches - Active Directory Domain functional level : Windows Server 2003 Forest functional level : Windows 2000 PS: Could somebody change summary of this bug ?
It works with a 8 characters password !
Is everyone on ethis bug using Solaris?
I am, bug intiator....
From the samba ml, it appears this is the 8 character limitation on Solaris. *** This bug has been marked as a duplicate of 4866 ***