[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Aug 12 12:22:28 UTC 2015
On 12/08/15 12:17, Dmitry MiksIr wrote:
> Samba4 as AD controller. Same samba as domain members. Winbind.
> Periodically (once in few days) after subject message in winbind logs
> its stop working and only restart of winbindd helps.
> Error message:
> [2015/08/10 13:31:14.410866, 0]
> ../source3/libads/sasl.c:1025(ads_sasl_spnego_bind)
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context
> has expired : Success
>
> smb.conf
> [global]
> netbios name = PC1
> workgroup = FOREST
> security = ADS
> realm = FOREST.INT.DOMAIN.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config * : range = 300-499
> idmap config * : backend = tdb
> idmap config * : script = /etc/samba/idmap.sh
> idmap config FOREST : backend = ad
> idmap config FOREST : range = 500 - 99999
> idmap config FOREST : schema_mode = rfc2307
> idmap cache time = 5
> idmap negative cache time = 5
>
> winbind trusted domains only = No
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind refresh tickets = Yes
> winbind cache time = 5
>
> krb.conf
> [libdefaults]
> default_realm = FOREST.INT.DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
>
Hi, I think your kerberos ticket is expiring, but don't really know why.
As Louis as said, you don't need these lines in krb5.conf:
ticket_lifetime = 24h
renew_lifetime = 7d
You also don't need these lines in smb.conf:
idmap cache time = 5
idmap negative cache time = 5
winbind cache time = 5
Is this a typo ?
idmap config * : backend = tdb
shouldn't it be:
idmap config * : backend = tdb2
as you are also using:
idmap config * : script = /etc/samba/idmap.sh
What OS are you using ?
What version of Samba and where is it from (distro packages, self
compiled etc)
Rowland
More information about the samba
mailing list