[Samba] Kerberos GSSAPI: Server not found in Kerberos database
Pat Suwalski
pat at suwalski.net
Tue Jan 14 08:25:46 MST 2014
Hello,
I have now spent 30 hours trying to get this working, so it's time to
get some professinoal help. :)
In a nutshell, I would like to have a sambda AD PDC that authenticates
both Windows and Debian. On Linux, I would like to use SSSD.
I have followed the steps on the wiki:
- https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
-
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
Those worked great! The first allowed me to use the domain immediately
with Windows. The second allowed me to use SSSD to authenticate on the
Debian/Samba server, no problem.
However, for the life of me, I cannot make any non-localhost Debian SSSD
connect to Samba. I always get the wonderfully vague error:
generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
I have followed many discussions on this list and others, and it's
always things like NetBIOS names not matching, domains not matching, and
so on. I don't seem to have any of those problems. I thought that maybe
there was a problem with the keytab, so I used Samba to join the domain
and then reused that keytab. The domains match. resolv.conf points at
the Samba server. Logs suggest everything resolves, just that Kerberos
is being unfriendly.
I do have some questions that I can't seem to find the answer for
anywhere else.
1) Is it necessary to join the domain for SSSD to authenticate?
2) Is there a need to have a computer record in Samba for the computer
with SSSD?
3) Aside from joining the domain, is there anything else that has to
happen to allow the host to access the AD? I used:
net ads join -UAdministrator
and got a success message.
4) After joining the domain, I have different spn information for the
Windows host versus the Debian host:
# samba-tool spn list adtest$
adtest$
User CN=adtest,CN=Computers,DC=foobar,DC=ca has the following
servicePrincipalName:
HOST/ADTEST
HOST/adtest.foobar.ca
# samba-tool spn list windows81-vm$
windows81-vm$
User CN=WINDOWS81-VM,CN=Computers,DC=foobar,DC=ca has the following
servicePrincipalName:
HOST/Windows81-VM.foobar.ca
RestrictedKrbHost/Windows81-VM.foobar.ca
HOST/WINDOWS81-VM
RestrictedKrbHost/WINDOWS81-VM
TERMSRV/Windows81-VM.foobar.ca
TERMSRV/WINDOWS81-VM
Could it be that I somehow need to give permissions to my "adtest"
Debian host to be able to connect via Kerberos?
5) Is it actually necessary to kinit as suggested elsewhere? It just
seems to create the keytab cache in /tmp.
Any help would be greatly appreciated. I didn't want to overload this
message with logs and such.
Many thanks,
--Pat
More information about the samba
mailing list