[Samba] client ldap sasl wrapping stripped out by testparm: AD net join fails

Hornbaker, RW Rw.Hornbaker at serco-na.com
Mon Aug 24 13:12:45 MDT 2009



net ads join -Urw.hornbaker -d10 fails with:
 ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit (please see below)

This was addressed 10/1/08 by Martin Zielinski and more recently by Gunther Deschner.  Both said to use client ldap sasl wrapping:
Using a new default compilation of samba 3.2.14 on x86_64, RHEL 5.3,

And placing
  client ldap sasl wrapping = sign
in smb.conf has no effect because testparm -s strips out this line.  Gunther suggested looking at the man page for more options but its not listed in man smb.conf.  Perhaps he is referrencing another man page.  Is there some ./configure option that needs to be used to make "client ldap sasl wrapping" available or is there some other way to prevent the "No credentials cache found" error.

Thanks,
RW Hornbaker


ds_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2009/08/24 11:39:33, 10] libads/sasl.c:ads_sasl_spnego_bind(321)
ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit
[2009/08/24 11:39:33, 10] libads/kerberos.c:kerberos_kinit_password_ext(91)
kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/cache/samba/smb_krb5/krb5.conf.EXAMPLE]
[2009/08/24 11:39:33, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Mon, 24 Aug 2009 21:39:33 MDT
[2009/08/24 11:39:33, 10] libsmb/clikrb5.c:ads_krb5_mk_req(624)
ads_krb5_mk_req: Ticket (wsmra1100000001$@EXAMPLE.COM) in ccache (MEMORY:net_ads) is valid until: (Mon, 24 Aug 2009 21:39:33 MDT - 1251171573)
[2009/08/24 11:39:33, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(735)
Got KRB5 session key of length 16
[2009/08/24 11:39:33, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
[2009/08/24 11:39:33, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: Strong(er) authentication required
[2009/08/24 11:39:33, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/lib64/samba/C.msg: No such file or directory
Failed to join domain: Strong(er) authentication required
[2009/08/24 11:39:33, 2] utils/net.c:main(1075)
return code = -1


More information about the samba mailing list