[Samba] Kerberos GSSAPI: Server not found in Kerberos database
L.P.H. van Belle
belle at bazuin.nl
Tue Jan 14 08:52:10 MST 2014
Hai,
are there any IPV6 ipadresses in /etc/hosts ( if so remove them and try again )
Or you try to remove and/or disable IPV6 totaly.
If ldapsearch uses IPv6, then things don't work
This is known bug.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: pat at suwalski.net [mailto:samba-bounces at lists.samba.org]
>Namens Pat Suwalski
>Verzonden: dinsdag 14 januari 2014 16:26
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Kerberos GSSAPI: Server not found in
>Kerberos database
>
>Hello,
>
>I have now spent 30 hours trying to get this working, so it's time to
>get some professinoal help. :)
>
>In a nutshell, I would like to have a sambda AD PDC that authenticates
>both Windows and Debian. On Linux, I would like to use SSSD.
>
>I have followed the steps on the wiki:
>- https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>-
>https://wiki.samba.org/index.php/Local_user_management_and_auth
>entication/sssd
>
>Those worked great! The first allowed me to use the domain immediately
>with Windows. The second allowed me to use SSSD to authenticate on the
>Debian/Samba server, no problem.
>
>However, for the life of me, I cannot make any non-localhost
>Debian SSSD
>connect to Samba. I always get the wonderfully vague error:
>
>generic failure: GSSAPI Error: Unspecified GSS failure. Minor
>code may
>provide more information (Server not found in Kerberos database)
>
>I have followed many discussions on this list and others, and it's
>always things like NetBIOS names not matching, domains not
>matching, and
>so on. I don't seem to have any of those problems. I thought
>that maybe
>there was a problem with the keytab, so I used Samba to join
>the domain
>and then reused that keytab. The domains match. resolv.conf points at
>the Samba server. Logs suggest everything resolves, just that Kerberos
>is being unfriendly.
>
>I do have some questions that I can't seem to find the answer for
>anywhere else.
>
>1) Is it necessary to join the domain for SSSD to authenticate?
>
>2) Is there a need to have a computer record in Samba for the computer
>with SSSD?
>
>3) Aside from joining the domain, is there anything else that has to
>happen to allow the host to access the AD? I used:
>
> net ads join -UAdministrator
>
>and got a success message.
>
>4) After joining the domain, I have different spn information for the
>Windows host versus the Debian host:
>
># samba-tool spn list adtest$
>adtest$
>User CN=adtest,CN=Computers,DC=foobar,DC=ca has the following
>servicePrincipalName:
> HOST/ADTEST
> HOST/adtest.foobar.ca
>
># samba-tool spn list windows81-vm$
>windows81-vm$
>User CN=WINDOWS81-VM,CN=Computers,DC=foobar,DC=ca has the following
>servicePrincipalName:
> HOST/Windows81-VM.foobar.ca
> RestrictedKrbHost/Windows81-VM.foobar.ca
> HOST/WINDOWS81-VM
> RestrictedKrbHost/WINDOWS81-VM
> TERMSRV/Windows81-VM.foobar.ca
> TERMSRV/WINDOWS81-VM
>
>Could it be that I somehow need to give permissions to my "adtest"
>Debian host to be able to connect via Kerberos?
>
>5) Is it actually necessary to kinit as suggested elsewhere? It just
>seems to create the keytab cache in /tmp.
>
>Any help would be greatly appreciated. I didn't want to overload this
>message with logs and such.
>
>Many thanks,
>--Pat
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list