[Samba] Kerberos: Server not found in database...no such entry found in hdb

Dania Ramirez Moya dania181087 at gmail.com
Sat Jul 19 13:36:17 MDT 2014

Hi, i have a server with samba 4.1.5 and i want to authenticate my
mail server against samba via Kerberos.
The protocols envolved are pop and imap, as you know, then i created
two users: imap and pop:

samba-tool user add pop --random-password
samba-tool user imap pop --random-password

and later i created two Service Principal Names for these users:

samba-tool spn add pop/mailserver.domain.cu at DOMAIN.CU pop
samba-tool spn add imap/mailserver.domain.cu at DOMAIN.CU imap

then i exported the keys and copied it to the mailserver

samba-tool domain exportkeytab /etc/krb5.keytab

after that i configured Dovecot /etc/dovecot/conf.d/10-auth.conf

auth_realms = domain.cu
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_mechanisms = gssapi

then i tried to login but it didn´t work...

this is what samba´s log says:

Kerberos: TGS-REQ dania at DOMAIN.CU from ipv4: for
pop/mailserver.domain.cu at DOMAIN.CU [renewable, forwardable]
Kerberos: Searching referral for mailserver.domain.cu
Kerberos: Server not found in database:
pop/mailserver.domain.cu at DOMAIN.CU: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:

i have made queries to the database and the SPNs exists

samba-tool spn list pop pop User CN=pop,CN=Users,DC=domain,DC=cu has
the following servicePrincipalName:
         pop/mailserver.domain.cu at DOMAIN.CU
samba-tool spn list imap imap User CN=imap,CN=Users,DC=domain,DC=cu
has the following servicePrincipalName:
         imap/mailserver.domain.cu at DOMAIN.CU

ldbsearch -H /usr/local/samba/private/sam.ldb
'(serviceprincipalname=pop/mailserver.domain.cu at DOMAIN.CU)'

# record 1
dn: CN=pop,CN=Users,DC=domain,DC=cu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: pop
instanceType: 4
whenCreated: 20140719145826.0Z
uSNCreated: 21693
name: pop
objectGUID: e063e896-6900-458d-a7bd-76319829cb81
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1345859412-382380422-3804354134-1361
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pop
sAMAccountType: 805306368
userPrincipalName: pop at domain.cu
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=cu
pwdLastSet: 130502555070000000
userAccountControl: 512
servicePrincipalName: pop/mailserver.domain.cu at DOMAIN.CU
whenChanged: 20140719150053.0Z
uSNChanged: 21702
distinguishedName: CN=pop,CN=Users,DC=domain,DC=cu

i would like to know of which way kerberos makes queries to the
database and how to see these queries in the samba log

i need some help... i don´t know what else to do... forgive my english... thanks

More information about the samba mailing list