Hi List,
I have reported this issue before but I did not get an answer, ill try one more
time before I register it as a bug incase I am doing something wrong.
I'm evaluating the use of samba/winbind to join our linuxhosts into active
directory. My testsetup use win2k3 R2 with rfc2307 schema fields populated on
the server side. For the most part the project is humming along nicely.
However, I have noticed that the domaincontrollers get spammed with a lot of
messages in the event log. The events look like this:
Failure Audit - Security - 675
Pre-Authentication failed:
User Name: machineaccount$
User ID: DOMAIN\\machineaccount$
Service Name: krgtgt/DOMAIN
Pre-Authentication type: 0x0
Failure Code: 0x19
Client Address: ipofclient
This message is not fatal in any way, all it means is that the client did not
pre-authenticate it self to the domaincontroller. The domaincontroller responds
to the client that it needs pre-auth to proceed, the client then supply the
pre-auth info. So the "error" in it self is quite harmless, my concern is that
its appearing a bit to often. Some clients log this message to the
domaincontroller up to 10-20 times a minute, could this indicate that something
is broken?
My other concern is that this message will totally flood the logs of the
domaincontrollers in the event of a full scale rollout on all linux clients.
The solution i believe is to always send KRB5_PADATA_ENC_TIMESTAMP as pre-auth
when connecting to a Active Directory domain controller. I have searched for a
config option to enable this behavior without finding one. I have also searched
the source code to see where the connection to the domaincontroller is set up.
I have however been unsuccessful in figuring out how i tell sasl to make the
connection using pre-auth.
Unless i have misunderstood my problem i believe this will benefit anyone that
integrate their samba machines into Active Directory.
Other solutions i found via google solve the problem by disabling pre-auth all
together. This solution is totally unacceptable from a security point of view.
For reference i have used samba 3.2.5 from debian lenny and samba 3.3.3 from
lenny backports to test this.
Any advice on how to proceed would be appreciated.
Andreas Larsson
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
