[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
Mark R Bannister
mark at proseconsulting.co.uk
Tue Sep 20 04:12:24 MDT 2011
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }Hi,
I've seen many people complain about this error message by Googling
around, but I've never found a satisfactory explanation as to the
cause and resolution. I'm hoping someone on the list will be able to
point me in the right direction?
I'm attempting to get a RHEL 5.5 client configured to use winbind
auth against Windows 2003 R2 AD (in fact my end game is to get all
NIS maps served from AD, but one step at a time).
I've been following these steps:
http://wiki.samba.org/index.php/Samba_&_Active_Directory
But when I come to issue the 'net ads join' command:
# net ads join -U administrator
administrator's password:
[2011/09/20 10:57:00, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
credentials
Failed to join domain: Invalid credentials
So having manually configured it, I decided maybe 'authconfig' could
help. I have no graphics here, so tried a command-line approach:
# authconfig --enablecache --enablewinbind --enablewinbindauth
--smbsecurity ads --smbrealm FMTEST.NET
--smbidmapuid=100-4294967294 --smbidmapgid=100-4294967294
--enablewinbindusedefaultdomain
--enablewinbindoffline --winbindjoin=Administrator --update
This made no difference (same error when trying to join). Apart
from adding the 'winbind offline logon' option which I omitted from
my manual approach, using the old idmap features instead of the new
ones, and setting up PAM for winbind (which I hadn't got around to
yet) there was no difference in config.
Debug modes, RHEL logs, Windows event logs, network traces - I've
looked at them all and can't find anything that points to the exact
problem.
Some pertinent info:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
# rpm -qa | egrep 'samba|libsmb'
libsmbclient-3.0.33-3.29.el5_5.1
samba-client-3.0.33-3.29.el5_5.1
samba-3.0.33-3.29.el5_5.1
samba-common-3.0.33-3.29.el5_5.1
# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = FMTEST
realm = FMTEST.NET
server string = Linux Test Machine
security = ADS
passdb backend = tdbsam
log file = /var/log/samba/%m.log
preferred master = No
idmap domains = ALLDOMAINS
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:backend = ad
idmap config ALLDOMAINS:range = 100-4294967294
idmap config ALLDOMAINS:schema_mode = rfc2307
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FMTEST.NET
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
FMTEST.NET = {
default_domain = fmtest.net
}
[domain_realm]
.fmtest.net = FMTEST.NET
fmtest.net = FMTEST.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Can you advise?
Thanks,
Mark.
More information about the samba
mailing list