[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success

Dmitry MiksIr miksir at maker.ru
Wed Aug 19 19:00:17 UTC 2015 

Problem still exists.
Found the following in DC logs, may be this can help:

[2015/08/19 19:53:25.269954,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- BELKA$@FOREST.INT.ARTUTKIN.RU
[2015/08/19 19:53:25.269971,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- BELKA$@FOREST.INT.ARTUTKIN.RU
[2015/08/19 19:53:25.270024,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- 
BELKA$@FOREST.INT.ARTUTKIN.RU using arcfour-hmac-md5
[2015/08/19 19:53:25.270699,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ authtime: 2015-08-19T19:53:25 starttime: unset 
endtime: 2015-08-20T05:53:25 renew till: 2015-08-26T19:53:25
[2015/08/19 19:53:25.270780,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
using arcfour-hmac-md5/arcfour-hmac-md5
[2015/08/19 19:53:25.270805,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Requested flags: renewable, forwardable
[2015/08/19 19:53:25.271422,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2015/08/19 19:53:25.271514,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2015/08/19 19:53:29.539995,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2015/08/19 19:53:29.540091,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2015/08/19 19:53:34.545189,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2015/08/19 19:53:34.545282,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2015/08/19 19:53:36.948881,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2015/08/19 19:53:36.948973,  3] 
../source4/smbd/process_single.c:114(single_terminate)
.... repeat last 2 messages many times

12.08.2015 17:07, Dmitry MiksIr пишет:
> 12.08.2015 15:22, Rowland Penny пишет:
>> On 12/08/15 12:17, Dmitry MiksIr wrote:
>>
>> Hi, I think your kerberos ticket is expiring, but don't really know why.
>>
>> As Louis as said, you don't need these lines in krb5.conf:
>>
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>>
>
> Ok, i will try to remove. Lets see.
>
>> You also don't need these lines in smb.conf:
>>
>> idmap cache time = 5
>> idmap negative cache time = 5
>> winbind cache time = 5
>
> Well, It's because I don't want to wait long time after adding new users
> or changing group membership (and it's happens very often). Performance
> is not very important for me. May be I'll increase this time little bit,
> but default 300(?) too much for me.
>
>>
>> Is this a typo ?
>
> No. I tried to use tdb2 idmap script for map well-known SID to local
> groups (like S-1-5-11 to `users`, and S-1-5-32-544 to `wheel`). But it's
> not worked for few SID's and I switched back to tdb and added this map
> via `net groupmap`. Just forgot to remove `idmap config * : script`
>
>>
>> idmap config * : backend = tdb
>>
>> shouldn't it be:
>>
>> idmap config * : backend = tdb2
>>
>> as you are also using:
>>
>> idmap config * : script = /etc/samba/idmap.sh
>>
>> What OS are you using ?
>> What version of Samba and where is it from (distro packages, self
>> compiled etc)
>
> Debian Jessie
> Sernet Samba 4.2.3-7
>
>>
>> Rowland
>>
>>
>
>
>

More information about the samba mailing list