[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success
Dmitry MiksIr
miksir at maker.ru
Wed Aug 12 14:07:15 UTC 2015
12.08.2015 15:22, Rowland Penny пишет:
> On 12/08/15 12:17, Dmitry MiksIr wrote:
>
> Hi, I think your kerberos ticket is expiring, but don't really know why.
>
> As Louis as said, you don't need these lines in krb5.conf:
>
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
Ok, i will try to remove. Lets see.
> You also don't need these lines in smb.conf:
>
> idmap cache time = 5
> idmap negative cache time = 5
> winbind cache time = 5
Well, It's because I don't want to wait long time after adding new users
or changing group membership (and it's happens very often). Performance
is not very important for me. May be I'll increase this time little bit,
but default 300(?) too much for me.
>
> Is this a typo ?
No. I tried to use tdb2 idmap script for map well-known SID to local
groups (like S-1-5-11 to `users`, and S-1-5-32-544 to `wheel`). But it's
not worked for few SID's and I switched back to tdb and added this map
via `net groupmap`. Just forgot to remove `idmap config * : script`
>
> idmap config * : backend = tdb
>
> shouldn't it be:
>
> idmap config * : backend = tdb2
>
> as you are also using:
>
> idmap config * : script = /etc/samba/idmap.sh
>
> What OS are you using ?
> What version of Samba and where is it from (distro packages, self
> compiled etc)
Debian Jessie
Sernet Samba 4.2.3-7
>
> Rowland
>
>
More information about the samba
mailing list