[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success

L.P.H. van Belle belle at bazuin.nl
Wed Aug 12 11:51:13 UTC 2015 

Hai, 

i compaired your config with my own..
Looks the same and correct to me. 

try it without these 2 in krb5.conf: 
>ticket_lifetime = 24h
>renew_lifetime = 7d 

and in smb.conf i dont have
>   idmap cache time = 5
>   idmap negative cache time = 5
>   winbind cache time = 5

so i suggest first remove the 2 lines in krb5.conf and test. 
then if needed the other 2. 

and your did make sure your time is always in sync? 


Greetz, 

louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dmitry MiksIr
>Verzonden: woensdag 12 augustus 2015 13:17
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] kinit succeeded but 
>ads_sasl_spnego_krb5_bind failed: The context has expired : Success
>
>Samba4 as AD controller. Same samba as domain members. Winbind.
>Periodically (once in few days) after subject message in winbind logs 
>its stop working and only restart of winbindd helps.
>Error message:
>[2015/08/10 13:31:14.410866,  0] 
>../source3/libads/sasl.c:1025(ads_sasl_spnego_bind)
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed:  The context 
>has expired : Success
>
>smb.conf
>[global]
>   netbios name = PC1
>   workgroup = FOREST
>   security = ADS
>   realm = FOREST.INT.DOMAIN.COM
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>
>   idmap config * : range = 300-499
>   idmap config * : backend = tdb
>   idmap config * : script = /etc/samba/idmap.sh
>   idmap config FOREST : backend = ad
>   idmap config FOREST : range = 500 - 99999
>   idmap config FOREST : schema_mode = rfc2307
>   idmap cache time = 5
>   idmap negative cache time = 5
>
>   winbind trusted domains only = No
>   winbind use default domain = Yes
>   winbind nss info = rfc2307
>   winbind enum users = Yes
>   winbind enum groups = Yes
>   winbind refresh tickets = Yes
>   winbind cache time = 5
>
>krb.conf
>[libdefaults]
>default_realm = FOREST.INT.DOMAIN.COM
>dns_lookup_realm = false
>dns_lookup_kdc = true
>ticket_lifetime = 24h
>renew_lifetime = 7d
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list