?
Solved

SLES 9.3 authentication against AD 2008

Posted on 2009-05-19
10
Medium Priority
?
1,043 Views
Last Modified: 2013-12-05
Morning,

A while back i asked a question about SLES 9.3 authentication against AD 2003 to which i got the following solution, which worked perfectly.

http://lists.suse.com/archive/suse-sles-e/2006-May/0049.html

My question is  this, Our windows AD has been upgraded to AD 2008 and now i can not authenticate against it and i am getting the following message in my messages file.

May 19 10:40:57 bmail1 winbindd[9794]: [2009/05/19 10:40:57, 0] libads/kerberos.c:ads_kinit_password(147)
May 19 10:40:57 bmail1 winbindd[9794]:   kerberos_kinit_password host/BMAIL1@AFRICANBANK.NET failed: Client not found in Ke
beros database
May 19 10:41:11 bmail1 winbindd[9794]: [2009/05/19 10:41:11, 0] libads/kerberos.c:ads_kinit_password(147)
May 19 10:41:11 bmail1 winbindd[9794]:   kerberos_kinit_password host/BMAIL1@AFRICANBANK.NET failed: Client not found in Ke
beros database
May 19 10:41:23 bmail1 winbindd[9794]: [2009/05/19 10:41:23, 0] libads/kerberos.c:ads_kinit_password(147)
May 19 10:41:23 bmail1 winbindd[9794]:   kerberos_kinit_password host/BMAIL1@AFRICANBANK.NET failed: Client not found in Ke
beros database
May 19 10:41:37 bmail1 winbindd[9794]: [2009/05/19 10:41:37, 0] libads/kerberos.c:ads_kinit_password(147)
May 19 10:41:37 bmail1 winbindd[9794]:   kerberos_kinit_password host/BMAIL1@AFRICANBANK.NET failed: Client not found in Ke
beros database

How can i resolve this?

Kind regards
Wesley
0
Comment
Question by:ablsysadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 14

Accepted Solution

by:
Monis Monther earned 1500 total points
ID: 24420505
I have revently joined a CentOS 5.2 to AD 2008 successfully (after pulling some hair out), but successfully, so

Client not found in kerberos databae means that you cant authinticate with kerberos, we can try a few steps here.

first update your samba packages.

now try kinit administrator
you should get promted for the password

when entering you password you should get back to the prompt and you can do
klist
this will list your ticket.

let me know if you pass this test , there are many things to consider here

0
 
LVL 7

Expert Comment

by:askb
ID: 24422076
Couple of things you can check:

1. Check  if you are useing the correct password of reset the password on AD side and try the same. (http://www.3sp.com/en/kb/idx.php/75/211/Active-Directory/article/Common-Active-Directory-Errors.html )
2. Check if the user/principal names exist on AD side.
0
 

Author Comment

by:ablsysadmin
ID: 24422369
ok, did the klist and this is result:

bmail1:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: adadmin@%domain name%

  Issued           Expires          Principal
May 19 10:29:19  May 19 20:29:18  krbtgt/%domain name%@%domain name%
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 5

Expert Comment

by:random_ru
ID: 24422792
Wesley,

What was the server OS  you upgraded from?
0
 
LVL 7

Expert Comment

by:askb
ID: 24423502
The client not foud is for - host/BMAIL1@AFRICANBANK.NET. You could try doing a kinit for this principal asswell ?
0
 
LVL 14

Expert Comment

by:Monis Monther
ID: 24424395
Do kinit alone with no arguments it should ask you for the administrator password, type the password and see what you get
0
 

Author Comment

by:ablsysadmin
ID: 24428736
Morning experts,

Ok, answers to your questions.

1. We upgraded our AD server from 2003 to 2008 (Microsoft)
2. BMAIL1 is the actual SLES 9.3 server, it is not a user.  Therefore there is no password to give when i do a kinit.
3. If i do a kinit alone i get the following.

bmail1:~ # kinit
adadmin@AFRICANBANK.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 10 hours

In the first post it was said that i should update my samba packages.  I have not yet done this.  should i upgrade the server to SLES 10.2?  this will upgrade the samba packages.
0
 

Author Comment

by:ablsysadmin
ID: 24428755
Here is some more output when trying to log in with my domain account.

May 20 07:09:18 bmail1 winbindd[4300]: [2009/05/20 07:09:18, 0] libads/kerberos.c:ads_kinit_password(147)
May 20 07:09:18 bmail1 winbindd[4300]:   kerberos_kinit_password host/BMAIL1@AFRICANBANK.NET failed: Client not found in Kerberos database
May 20 07:09:18 bmail1 sshd[6142]: Invalid user wcoleman from 10.30.132.232
May 20 07:09:24 bmail1 pam_winbind[6144]: request failed: NT code 0xc0000388, PAM error was 4, NT error was NT code 0xc0000388
May 20 07:09:24 bmail1 pam_winbind[6144]: internal module error (retval = 4, user = `wcoleman')
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: unable to determine uid/gid for user
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: authentication fails for `wcoleman'
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: pam_sm_authenticate returning 10 (User not known to the underlying authentication module)
0
 

Author Comment

by:ablsysadmin
ID: 24429036
Hi guys,

i've been going through the questions i posted with the original setup. the problem there was with winbind, because it was not started.

bmail1:/ # wbinfo -u
Error looking up domain users
bmail1:/ # wbinfo -g
Error looking up domain groups

i am getting the same errors now, however, winbind is started.

I'm going to upgrade the server to SLES 10.2 and go through the configs as stated in this link.

http://lists.suse.com/archive/suse-sles-e/2006-May/0049.html

Hopefully with the updated packages (smb, winbind etc) the authentication will work.  If someone has steps on how to setup AD authentication between MS AD 2008 and SLES 10.2, that would be great.
0
 

Author Closing Comment

by:ablsysadmin
ID: 31582908
I upgraded the OS to SLES 10, still no joy.  Then upgraded the samba to 3.4, that did the job.  There was also a hot fix installed on the 2008 AD for kerberos authentication.  Not sure if that did anything. http://support.microsoft.com/kb/951191  Thanks
0

Featured Post

TCP/IP Network Protocol Cheat Sheet

TCP/IP is a set of network protocols which is best known for connecting the machines that make up the Internet. The truth is that TCP/IP is one of the oldest network protocols and its survival is mainly based on its simplicity and universality.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question