[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success
Dmitry MiksIr
miksir at maker.ru
Wed Aug 19 19:00:17 UTC 2015
Problem still exists.
Found the following in DC logs, may be this can help:
[2015/08/19 19:53:25.269954, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- BELKA$@FOREST.INT.ARTUTKIN.RU
[2015/08/19 19:53:25.269971, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- BELKA$@FOREST.INT.ARTUTKIN.RU
[2015/08/19 19:53:25.270024, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded --
BELKA$@FOREST.INT.ARTUTKIN.RU using arcfour-hmac-md5
[2015/08/19 19:53:25.270699, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2015-08-19T19:53:25 starttime: unset
endtime: 2015-08-20T05:53:25 renew till: 2015-08-26T19:53:25
[2015/08/19 19:53:25.270780, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using arcfour-hmac-md5/arcfour-hmac-md5
[2015/08/19 19:53:25.270805, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable, forwardable
[2015/08/19 19:53:25.271422, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2015/08/19 19:53:25.271514, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2015/08/19 19:53:29.539995, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2015/08/19 19:53:29.540091, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2015/08/19 19:53:34.545189, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2015/08/19 19:53:34.545282, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2015/08/19 19:53:36.948881, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2015/08/19 19:53:36.948973, 3]
../source4/smbd/process_single.c:114(single_terminate)
.... repeat last 2 messages many times
12.08.2015 17:07, Dmitry MiksIr пишет:
> 12.08.2015 15:22, Rowland Penny пишет:
>> On 12/08/15 12:17, Dmitry MiksIr wrote:
>>
>> Hi, I think your kerberos ticket is expiring, but don't really know why.
>>
>> As Louis as said, you don't need these lines in krb5.conf:
>>
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>>
>
> Ok, i will try to remove. Lets see.
>
>> You also don't need these lines in smb.conf:
>>
>> idmap cache time = 5
>> idmap negative cache time = 5
>> winbind cache time = 5
>
> Well, It's because I don't want to wait long time after adding new users
> or changing group membership (and it's happens very often). Performance
> is not very important for me. May be I'll increase this time little bit,
> but default 300(?) too much for me.
>
>>
>> Is this a typo ?
>
> No. I tried to use tdb2 idmap script for map well-known SID to local
> groups (like S-1-5-11 to `users`, and S-1-5-32-544 to `wheel`). But it's
> not worked for few SID's and I switched back to tdb and added this map
> via `net groupmap`. Just forgot to remove `idmap config * : script`
>
>>
>> idmap config * : backend = tdb
>>
>> shouldn't it be:
>>
>> idmap config * : backend = tdb2
>>
>> as you are also using:
>>
>> idmap config * : script = /etc/samba/idmap.sh
>>
>> What OS are you using ?
>> What version of Samba and where is it from (distro packages, self
>> compiled etc)
>
> Debian Jessie
> Sernet Samba 4.2.3-7
>
>>
>> Rowland
>>
>>
>
>
>
More information about the samba
mailing list