[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm

Markert, Martin MMarkert at arri.de
Thu Apr 2 04:38:25 MDT 2015 

Hi,
I've successfully joined a CentOS server to our AD domain:

AD: Windows Server 2008 RC2 with Windows Services for UNIX
AD member: CentOS 6.6, sernet-samba-4.1.14-9, authentication via Kerberos and Winbind

>From time to time the following entries show up in the messages file:

Apr  2 11:54:15 barbarella nss_wins[4254]: [2015/04/02 11:54:15.339983,  0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind)
Apr  2 11:54:15 barbarella nss_wins[4254]:   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
Apr  2 11:54:15 barbarella nss_wins[4256]: [2015/04/02 11:54:15.546227,  0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind)
Apr  2 11:54:15 barbarella nss_wins[4256]:   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
Apr  2 11:54:17 barbarella nss_wins[3564]: [2015/04/02 11:54:17.118128,  0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind)
Apr  2 11:54:17 barbarella nss_wins[3564]:   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
Apr  2 11:54:17 barbarella nss_wins[3588]: [2015/04/02 11:54:17.120904,  0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind)
Apr  2 11:54:17 barbarella nss_wins[3588]:   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
Apr  2 11:54:17 barbarella nss_wins[3587]: [2015/04/02 11:54:17.271232,  0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind)
Apr  2 11:54:17 barbarella nss_wins[3587]:   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm

I don't know what is wrong and where the issue is? The error message shows up while executing "id user", e.g. It takes 3-5 seconds and then the result appears.

Regards,
Martin

###/etc/krb5.conf###
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ARRI.DE
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 ARRI.DE = {
  kdc = admuc1.arri.de:88
  kdc = admuc2.arri.de:88
  default_domain = arri.de
 }

[domain_realm]
 .arri.de = ARRI.DE
 arri.de = ARRI.DE

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 24h
   forwardable = true
   proxiable = false
   retain_after_close = false
   krb4_convert = false
 }

---
###/etc/nsswitch.conf###
passwd:     files winbind
shadow:     files winbind
group:      files winbind

hosts:      files dns wins

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

---
###/etc/pam.d/system-auth###
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     sufficient    pam_winbind.so use_first_pass
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_winbind.so use_first_pass

---
###/etc/resolv.conf###
nameserver 192.168.100.100
nameserver 192.168.100.101
domain arri.de
search arri.de

---
###/etc/hosts###
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.82   barbarella barbarella.arri.de
192.168.100.100 admuc1 admuc1.arri.de
192.168.100.101 admuc2 admuc2.arri.de


Martin Markert
Systems Integrator
 

Tuerkenstr. 89, 80799 München / Germany
Phone +49 89 3809-1848

EMail MMarkert at arri.de

  Visit us on Facebook!________________________________
 [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv>

Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>

ARRI Film & TV Services GmbH
Sitz: München - Registergericht: Amtsgericht München
Handelsregisternummer: HRB 69396
Geschäftsführer: Franz Kraus; Dr. Jörg Pohlman; Josef Reidinger

More information about the samba mailing list