[Samba] Kerberos GSSAPI: Server not found in Kerberos database

L.P.H. van Belle belle at bazuin.nl
Tue Jan 14 08:52:10 MST 2014


Hai, 

are there any IPV6 ipadresses in /etc/hosts   ( if so remove them and try again ) 

Or  you try to remove and/or disable IPV6 totaly. 
If ldapsearch uses IPv6, then things don't work 

This is known bug. 


Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: pat at suwalski.net [mailto:samba-bounces at lists.samba.org] 
>Namens Pat Suwalski
>Verzonden: dinsdag 14 januari 2014 16:26
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Kerberos GSSAPI: Server not found in 
>Kerberos database
>
>Hello,
>
>I have now spent 30 hours trying to get this working, so it's time to 
>get some professinoal help. :)
>
>In a nutshell, I would like to have a sambda AD PDC that authenticates 
>both Windows and Debian. On Linux, I would like to use SSSD.
>
>I have followed the steps on the wiki:
>- https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>- 
>https://wiki.samba.org/index.php/Local_user_management_and_auth
>entication/sssd
>
>Those worked great! The first allowed me to use the domain immediately 
>with Windows. The second allowed me to use SSSD to authenticate on the 
>Debian/Samba server, no problem.
>
>However, for the life of me, I cannot make any non-localhost 
>Debian SSSD 
>connect to Samba. I always get the wonderfully vague error:
>
>generic failure: GSSAPI Error: Unspecified GSS failure.  Minor 
>code may 
>provide more information (Server not found in Kerberos database)
>
>I have followed many discussions on this list and others, and it's 
>always things like NetBIOS names not matching, domains not 
>matching, and 
>so on. I don't seem to have any of those problems. I thought 
>that maybe 
>there was a problem with the keytab, so I used Samba to join 
>the domain 
>and then reused that keytab. The domains match. resolv.conf points at 
>the Samba server. Logs suggest everything resolves, just that Kerberos 
>is being unfriendly.
>
>I do have some questions that I can't seem to find the answer for 
>anywhere else.
>
>1) Is it necessary to join the domain for SSSD to authenticate?
>
>2) Is there a need to have a computer record in Samba for the computer 
>with SSSD?
>
>3) Aside from joining the domain, is there anything else that has to 
>happen to allow the host to access the AD? I used:
>
>     net ads join -UAdministrator
>
>and got a success message.
>
>4) After joining the domain, I have different spn information for the 
>Windows host versus the Debian host:
>
># samba-tool spn list adtest$
>adtest$
>User CN=adtest,CN=Computers,DC=foobar,DC=ca has the following 
>servicePrincipalName:
>	 HOST/ADTEST
>	 HOST/adtest.foobar.ca
>
># samba-tool spn list windows81-vm$
>windows81-vm$
>User CN=WINDOWS81-VM,CN=Computers,DC=foobar,DC=ca has the following 
>servicePrincipalName:
>	 HOST/Windows81-VM.foobar.ca
>	 RestrictedKrbHost/Windows81-VM.foobar.ca
>	 HOST/WINDOWS81-VM
>	 RestrictedKrbHost/WINDOWS81-VM
>	 TERMSRV/Windows81-VM.foobar.ca
>	 TERMSRV/WINDOWS81-VM
>
>Could it be that I somehow need to give permissions to my "adtest" 
>Debian host to be able to connect via Kerberos?
>
>5) Is it actually necessary to kinit as suggested elsewhere? It just 
>seems to create the keytab cache in /tmp.
>
>Any help would be greatly appreciated. I didn't want to overload this 
>message with logs and such.
>
>Many thanks,
>--Pat
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list