[Samba] Joining Ubuntu Server to Domain - "kinit succeeded but ads_sasl_spnego_gensec_bind failed"

Rowland Penny rpenny at samba.org
Sat Apr 13 08:23:54 UTC 2019 

On Fri, 12 Apr 2019 16:30:00 -0700
Ian O'Neill via samba <samba at lists.samba.org> wrote:

> <-----------------------
> [global]
>         workgroup = CORP
>         password server = dc0.corp.company.internal
>         realm = CORP.COMPANY.INTERNAL
>         security = ads
> 
>         idmap config * : range = 16777216-33554431
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind use default domain = true
>         winbind offline logon = false
> 
>         dns proxy = No
>         log file = /var/log/samba/log.%m
>         map to guest = Bad User
>         max log size = 1000
>         obey pam restrictions = Yes
>         pam password change = Yes
>         panic action = /usr/share/samba/panic-action %d
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>         passwd program = /usr/bin/passwd %u
>         server role = standalone server
>         server string = %h server (Samba, Ubuntu)
>         syslog = 0
>         unix password sync = Yes
>         usershare allow guests = Yes
>         idmap config * : backend = tdb
> ----------------------->  
> 
> I am currently assuming (due to prior success) that the problem is
> not with the DNS/DC configuration but rather with the client/member
> configuration, most likely smb.conf and potentially krb5.cond.
> 
> I'm not sure if it's an issue with Ubuntu 18.04 and Winbind/Samba
> versions, something about which Winbind backend I use
> (ad/rid/autorid) or if it would be a better idea to use SSSD or
> something instead of Winbind. I might be following the steps in the
> Samba wiki guide incorrectly, but I've attempted them multiple times
> and unfortunately I haven't been able to figure out exactly what I'm
> doing wrong.
> 

No, it wouldn't be better to use sssd, it would be better to set up
your smb.conf correctly ;-)

Reread this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

And one of these:

https://wiki.samba.org/index.php/Idmap_config_ad

https://wiki.samba.org/index.php/Idmap_config_rid

As a hint, you cannot have:

        security = ads
AND
        server role = standalone server

They are totally different things.

You also need more than this:

        idmap config * : backend = tdb
        idmap config * : range = 16777216-33554431

You need lines for the 'CORP' domain

Rowland

More information about the samba mailing list