[Samba] Kerberos GSSAPI: Server not found in Kerberos database

Pat Suwalski pat at suwalski.net
Tue Jan 14 08:25:46 MST 2014 

Hello,

I have now spent 30 hours trying to get this working, so it's time to 
get some professinoal help. :)

In a nutshell, I would like to have a sambda AD PDC that authenticates 
both Windows and Debian. On Linux, I would like to use SSSD.

I have followed the steps on the wiki:
- https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
- 
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd

Those worked great! The first allowed me to use the domain immediately 
with Windows. The second allowed me to use SSSD to authenticate on the 
Debian/Samba server, no problem.

However, for the life of me, I cannot make any non-localhost Debian SSSD 
connect to Samba. I always get the wonderfully vague error:

generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may 
provide more information (Server not found in Kerberos database)

I have followed many discussions on this list and others, and it's 
always things like NetBIOS names not matching, domains not matching, and 
so on. I don't seem to have any of those problems. I thought that maybe 
there was a problem with the keytab, so I used Samba to join the domain 
and then reused that keytab. The domains match. resolv.conf points at 
the Samba server. Logs suggest everything resolves, just that Kerberos 
is being unfriendly.

I do have some questions that I can't seem to find the answer for 
anywhere else.

1) Is it necessary to join the domain for SSSD to authenticate?

2) Is there a need to have a computer record in Samba for the computer 
with SSSD?

3) Aside from joining the domain, is there anything else that has to 
happen to allow the host to access the AD? I used:

     net ads join -UAdministrator

and got a success message.

4) After joining the domain, I have different spn information for the 
Windows host versus the Debian host:

# samba-tool spn list adtest$
adtest$
User CN=adtest,CN=Computers,DC=foobar,DC=ca has the following 
servicePrincipalName:
	 HOST/ADTEST
	 HOST/adtest.foobar.ca

# samba-tool spn list windows81-vm$
windows81-vm$
User CN=WINDOWS81-VM,CN=Computers,DC=foobar,DC=ca has the following 
servicePrincipalName:
	 HOST/Windows81-VM.foobar.ca
	 RestrictedKrbHost/Windows81-VM.foobar.ca
	 HOST/WINDOWS81-VM
	 RestrictedKrbHost/WINDOWS81-VM
	 TERMSRV/Windows81-VM.foobar.ca
	 TERMSRV/WINDOWS81-VM

Could it be that I somehow need to give permissions to my "adtest" 
Debian host to be able to connect via Kerberos?

5) Is it actually necessary to kinit as suggested elsewhere? It just 
seems to create the keytab cache in /tmp.

Any help would be greatly appreciated. I didn't want to overload this 
message with logs and such.

Many thanks,
--Pat

More information about the samba mailing list