AblSysadmin
asked on
SLES 9.3 authentication against AD 2008
Morning,
A while back i asked a question about SLES 9.3 authentication against AD 2003 to which i got the following solution, which worked perfectly.
http://lists.suse.com/archive/suse-sles-e/2006-May/0049.html
My question is this, Our windows AD has been upgraded to AD 2008 and now i can not authenticate against it and i am getting the following message in my messages file.
May 19 10:40:57 bmail1 winbindd[9794]: [2009/05/19 10:40:57, 0] libads/kerberos.c:ads_kini t_password (147)
May 19 10:40:57 bmail1 winbindd[9794]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE T failed: Client not found in Ke
beros database
May 19 10:41:11 bmail1 winbindd[9794]: [2009/05/19 10:41:11, 0] libads/kerberos.c:ads_kini t_password (147)
May 19 10:41:11 bmail1 winbindd[9794]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE T failed: Client not found in Ke
beros database
May 19 10:41:23 bmail1 winbindd[9794]: [2009/05/19 10:41:23, 0] libads/kerberos.c:ads_kini t_password (147)
May 19 10:41:23 bmail1 winbindd[9794]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE T failed: Client not found in Ke
beros database
May 19 10:41:37 bmail1 winbindd[9794]: [2009/05/19 10:41:37, 0] libads/kerberos.c:ads_kini t_password (147)
May 19 10:41:37 bmail1 winbindd[9794]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE T failed: Client not found in Ke
beros database
How can i resolve this?
Kind regards
Wesley
A while back i asked a question about SLES 9.3 authentication against AD 2003 to which i got the following solution, which worked perfectly.
http://lists.suse.com/archive/suse-sles-e/2006-May/0049.html
My question is this, Our windows AD has been upgraded to AD 2008 and now i can not authenticate against it and i am getting the following message in my messages file.
May 19 10:40:57 bmail1 winbindd[9794]: [2009/05/19 10:40:57, 0] libads/kerberos.c:ads_kini
May 19 10:40:57 bmail1 winbindd[9794]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE
beros database
May 19 10:41:11 bmail1 winbindd[9794]: [2009/05/19 10:41:11, 0] libads/kerberos.c:ads_kini
May 19 10:41:11 bmail1 winbindd[9794]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE
beros database
May 19 10:41:23 bmail1 winbindd[9794]: [2009/05/19 10:41:23, 0] libads/kerberos.c:ads_kini
May 19 10:41:23 bmail1 winbindd[9794]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE
beros database
May 19 10:41:37 bmail1 winbindd[9794]: [2009/05/19 10:41:37, 0] libads/kerberos.c:ads_kini
May 19 10:41:37 bmail1 winbindd[9794]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE
beros database
How can i resolve this?
Kind regards
Wesley
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, did the klist and this is result:
bmail1:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: adadmin@%domain name%
Issued Expires Principal
May 19 10:29:19 May 19 20:29:18 krbtgt/%domain name%@%domain name%
bmail1:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: adadmin@%domain name%
Issued Expires Principal
May 19 10:29:19 May 19 20:29:18 krbtgt/%domain name%@%domain name%
Wesley,
What was the server OS you upgraded from?
What was the server OS you upgraded from?
The client not foud is for - host/BMAIL1@AFRICANBANK.NE T. You could try doing a kinit for this principal asswell ?
Do kinit alone with no arguments it should ask you for the administrator password, type the password and see what you get
ASKER
Morning experts,
Ok, answers to your questions.
1. We upgraded our AD server from 2003 to 2008 (Microsoft)
2. BMAIL1 is the actual SLES 9.3 server, it is not a user. Therefore there is no password to give when i do a kinit.
3. If i do a kinit alone i get the following.
bmail1:~ # kinit
adadmin@AFRICANBANK.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 10 hours
In the first post it was said that i should update my samba packages. I have not yet done this. should i upgrade the server to SLES 10.2? this will upgrade the samba packages.
Ok, answers to your questions.
1. We upgraded our AD server from 2003 to 2008 (Microsoft)
2. BMAIL1 is the actual SLES 9.3 server, it is not a user. Therefore there is no password to give when i do a kinit.
3. If i do a kinit alone i get the following.
bmail1:~ # kinit
adadmin@AFRICANBANK.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 10 hours
In the first post it was said that i should update my samba packages. I have not yet done this. should i upgrade the server to SLES 10.2? this will upgrade the samba packages.
ASKER
Here is some more output when trying to log in with my domain account.
May 20 07:09:18 bmail1 winbindd[4300]: [2009/05/20 07:09:18, 0] libads/kerberos.c:ads_kini t_password (147)
May 20 07:09:18 bmail1 winbindd[4300]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE T failed: Client not found in Kerberos database
May 20 07:09:18 bmail1 sshd[6142]: Invalid user wcoleman from 10.30.132.232
May 20 07:09:24 bmail1 pam_winbind[6144]: request failed: NT code 0xc0000388, PAM error was 4, NT error was NT code 0xc0000388
May 20 07:09:24 bmail1 pam_winbind[6144]: internal module error (retval = 4, user = `wcoleman')
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: unable to determine uid/gid for user
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: authentication fails for `wcoleman'
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: pam_sm_authenticate returning 10 (User not known to the underlying authentication module)
May 20 07:09:18 bmail1 winbindd[4300]: [2009/05/20 07:09:18, 0] libads/kerberos.c:ads_kini
May 20 07:09:18 bmail1 winbindd[4300]: kerberos_kinit_password host/BMAIL1@AFRICANBANK.NE
May 20 07:09:18 bmail1 sshd[6142]: Invalid user wcoleman from 10.30.132.232
May 20 07:09:24 bmail1 pam_winbind[6144]: request failed: NT code 0xc0000388, PAM error was 4, NT error was NT code 0xc0000388
May 20 07:09:24 bmail1 pam_winbind[6144]: internal module error (retval = 4, user = `wcoleman')
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: unable to determine uid/gid for user
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: authentication fails for `wcoleman'
May 20 07:09:24 bmail1 sshd[6144]: pam_krb5: pam_sm_authenticate returning 10 (User not known to the underlying authentication module)
ASKER
Hi guys,
i've been going through the questions i posted with the original setup. the problem there was with winbind, because it was not started.
bmail1:/ # wbinfo -u
Error looking up domain users
bmail1:/ # wbinfo -g
Error looking up domain groups
i am getting the same errors now, however, winbind is started.
I'm going to upgrade the server to SLES 10.2 and go through the configs as stated in this link.
http://lists.suse.com/archive/suse-sles-e/2006-May/0049.html
Hopefully with the updated packages (smb, winbind etc) the authentication will work. If someone has steps on how to setup AD authentication between MS AD 2008 and SLES 10.2, that would be great.
i've been going through the questions i posted with the original setup. the problem there was with winbind, because it was not started.
bmail1:/ # wbinfo -u
Error looking up domain users
bmail1:/ # wbinfo -g
Error looking up domain groups
i am getting the same errors now, however, winbind is started.
I'm going to upgrade the server to SLES 10.2 and go through the configs as stated in this link.
http://lists.suse.com/archive/suse-sles-e/2006-May/0049.html
Hopefully with the updated packages (smb, winbind etc) the authentication will work. If someone has steps on how to setup AD authentication between MS AD 2008 and SLES 10.2, that would be great.
ASKER
I upgraded the OS to SLES 10, still no joy. Then upgraded the samba to 3.4, that did the job. There was also a hot fix installed on the 2008 AD for kerberos authentication. Not sure if that did anything. http://support.microsoft.com/kb/951191 Thanks
1. Check if you are useing the correct password of reset the password on AD side and try the same. (http://www.3sp.com/en/kb/idx.php/75/211/Active-Directory/article/Common-Active-Directory-Errors.html )
2. Check if the user/principal names exist on AD side.