[Samba] Winbind File Server Domain Member Errors: "Client not found in Kerberos database" / "Could not receive trustdoms".

Fri Aug 22 17:33:38 MDT 2014

Hey guys...

Again, almost every day...:

--
user at file-server:~$ smbclient -L file-server -U user%SENHA -W domain
session setup failed: NT_STATUS_NO_TRUST_SAM_ACCOUNT
--

"wbinfo -u" doens't show users...

"wbinfo -t" shows:

--
root at file-server:~# wbinfo -t
checking the trust secret for domain DOMAIN via RPC calls failed
error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
--

Then, after researching more about this, I added the following lines
smb.conf:

---
winbind refresh tickets = yes
---

Problem fixed!! Samba4 File Server online for about two days, non-stop.

I'm wondering here, why this page:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server doesn't
tell a word about this?!

This "winbind refresh tickets" option seems to be required, am I right?!

Also, I added "kerberos method = secrets and keytab" later... But `winbind
refresh tickets` did the trick...

Cheers!
Thiago

On 16 August 2014 11:10, steve <steve at steve-ss.com> wrote:

> On Sat, 2014-08-16 at 05:58 -0300, Martinx - ジェームズ wrote:
> > Guys,
> >
> > I'm seeing the following error at my Samba4 Domain Member File Server:
> >
> > ---
> > ==> /var/log/samba/log.wb-DOMAIN <==
> > [2014/08/16 05:39:26.616878,  0]
> > ../source3/libads/kerberos_util.c:74(ads_kinit_password)
> >   kerberos_kinit_password FILE-SERVER$@REALM.DOMAIN.COM failed: Client
> not
> > found in Kerberos database
> > [2014/08/16 05:39:26.616962,  1]
> > ../source3/winbindd/winbindd_ads.c:122(ads_cached_connection_connect)
> >   ads_connect for domain DOMAIN failed: Client not found in Kerberos
> > database
> >
> > ==> /var/log/samba/log.winbindd <==
> > [2014/08/16 05:39:27.256066,  1]
> > ../source3/winbindd/winbindd_util.c:316(trustdom_list_done)
> >   Could not receive trustdoms
> > [2014/08/16 05:39:28.257587,  1]
> > ../source3/winbindd/winbindd_util.c:316(trustdom_list_done)
> >   Could not receive trustdoms
> > [2014/08/16 05:39:29.258850,  1]
> > ../source3/winbindd/winbindd_util.c:316(trustdom_list_done)
> >   Could not receive trustdoms
> > ---
> >
> > The command "kinit user" works... Kerberos seems to be fine at
> > "file-server".
> >
> > How to fix this permanently?!
> >
> > I mean, last time I saw this messages, I did a "net ads leave / join" as
> a
> > workaround but, the problem keep appearing over and over...
> >
> > Apparently, it is loosing its membership... But I don't know for sure...
> >
> > It is a Samba 4.1.6 on Ubuntu Trusty.
> >
> > The AD DC is also a Samba 4.1.6 + Bind9, Ubuntu Trusty too. The members
> > based on Windows (Desktops) are working fine.
> >
> > Tips?!
> >
> > Tks!
> > Thiago
>
> At least give us something to check!
>
> smb.conf at both ends
> /etc/krb5.conf
> klist -k
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba