[Samba] Kerberos GSSAPI: Server not found in Kerberos database
L.P.H. van Belle
belle at bazuin.nl
Tue Jan 14 08:52:10 MST 2014
are there any IPV6 ipadresses in /etc/hosts ( if so remove them and try again )
Or you try to remove and/or disable IPV6 totaly.
If ldapsearch uses IPv6, then things don't work
This is known bug.
>Van: pat at suwalski.net [mailto:samba-bounces at lists.samba.org]
>Namens Pat Suwalski
>Verzonden: dinsdag 14 januari 2014 16:26
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Kerberos GSSAPI: Server not found in
>I have now spent 30 hours trying to get this working, so it's time to
>get some professinoal help. :)
>In a nutshell, I would like to have a sambda AD PDC that authenticates
>both Windows and Debian. On Linux, I would like to use SSSD.
>I have followed the steps on the wiki:
>Those worked great! The first allowed me to use the domain immediately
>with Windows. The second allowed me to use SSSD to authenticate on the
>Debian/Samba server, no problem.
>However, for the life of me, I cannot make any non-localhost
>connect to Samba. I always get the wonderfully vague error:
>generic failure: GSSAPI Error: Unspecified GSS failure. Minor
>provide more information (Server not found in Kerberos database)
>I have followed many discussions on this list and others, and it's
>always things like NetBIOS names not matching, domains not
>so on. I don't seem to have any of those problems. I thought
>there was a problem with the keytab, so I used Samba to join
>and then reused that keytab. The domains match. resolv.conf points at
>the Samba server. Logs suggest everything resolves, just that Kerberos
>is being unfriendly.
>I do have some questions that I can't seem to find the answer for
>1) Is it necessary to join the domain for SSSD to authenticate?
>2) Is there a need to have a computer record in Samba for the computer
>3) Aside from joining the domain, is there anything else that has to
>happen to allow the host to access the AD? I used:
> net ads join -UAdministrator
>and got a success message.
>4) After joining the domain, I have different spn information for the
>Windows host versus the Debian host:
># samba-tool spn list adtest$
>User CN=adtest,CN=Computers,DC=foobar,DC=ca has the following
># samba-tool spn list windows81-vm$
>User CN=WINDOWS81-VM,CN=Computers,DC=foobar,DC=ca has the following
>Could it be that I somehow need to give permissions to my "adtest"
>Debian host to be able to connect via Kerberos?
>5) Is it actually necessary to kinit as suggested elsewhere? It just
>seems to create the keytab cache in /tmp.
>Any help would be greatly appreciated. I didn't want to overload this
>message with logs and such.
>To unsubscribe from this list go to the following URL and read the
More information about the samba