[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success

Rowland Penny rowlandpenny241155 at gmail.com
Wed Aug 12 12:22:28 UTC 2015


On 12/08/15 12:17, Dmitry MiksIr wrote:
> Samba4 as AD controller. Same samba as domain members. Winbind.
> Periodically (once in few days) after subject message in winbind logs 
> its stop working and only restart of winbindd helps.
> Error message:
> [2015/08/10 13:31:14.410866,  0] 
> ../source3/libads/sasl.c:1025(ads_sasl_spnego_bind)
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed:  The context 
> has expired : Success
>
> smb.conf
> [global]
>   netbios name = PC1
>   workgroup = FOREST
>   security = ADS
>   realm = FOREST.INT.DOMAIN.COM
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>
>   idmap config * : range = 300-499
>   idmap config * : backend = tdb
>   idmap config * : script = /etc/samba/idmap.sh
>   idmap config FOREST : backend = ad
>   idmap config FOREST : range = 500 - 99999
>   idmap config FOREST : schema_mode = rfc2307
>   idmap cache time = 5
>   idmap negative cache time = 5
>
>   winbind trusted domains only = No
>   winbind use default domain = Yes
>   winbind nss info = rfc2307
>   winbind enum users = Yes
>   winbind enum groups = Yes
>   winbind refresh tickets = Yes
>   winbind cache time = 5
>
> krb.conf
> [libdefaults]
> default_realm = FOREST.INT.DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
>

Hi, I think your kerberos ticket is expiring, but don't really know why.

As Louis as said, you don't need these lines in krb5.conf:

ticket_lifetime = 24h
renew_lifetime = 7d

You also don't need these lines in smb.conf:

idmap cache time = 5
idmap negative cache time = 5
winbind cache time = 5

Is this a typo ?

idmap config * : backend = tdb

shouldn't it be:

idmap config * : backend = tdb2

as you are also using:

idmap config * : script = /etc/samba/idmap.sh

What OS are you using ?
What version of Samba and where is it from (distro packages, self 
compiled etc)

Rowland




More information about the samba mailing list