[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
rpenny at samba.org
Sat Apr 9 09:54:50 UTC 2016
Taking this back on list where it belongs:
On 09/04/16 10:31, Lists wrote:
>> Are you 100% sure it is off, even better would be to remove it (or
>> change '.local' to something else)
> yes I am.
> systemctl list-unit-files | grep avahi
> avahi-daemon.service disabled
> avahi-daemon.socket disabled
>> Try making your smb.conf look like the example one on the wiki page,
>> this is known to work.
netbios name = SOLAD
security = ADS
workgroup = SOLAE
realm = SOLAE.LOCAL
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# Important: The ranges of the default (*) idmap config
# and the domain(s) must not overlap!
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SOLAE
idmap config SOLAE:backend = rid
idmap config SOLAE:range = 10000-99999
# Use template settings for login shell and home directory
winbind nss info = template
template shell = /sbin/bash
template homedir = /home/%U
>> Does the machine you are trying to join, have the DCs ipaddress as the
>> first (and preferably only) nameserver in /etc/resolv.conf ?
> here is the /etc/resolv.conf
> # Generated by NetworkManager
> search solae.local
> nameserver 10.0.0.22
> nameserver 10.0.0.2
>> Are you using dhcp on the domain member you are trying to join ?
>> If so, is your DHCP server sending the full and correct data ?
> No. I am not using DHCP.
>> Do you have a line starting 127.0.1.1 in /etc/hosts, if so. I would
> ?suggest removing it.
> here is the /etc/hosts
> #10.0.0.22 solad solad.solae.local
> 10.0.0.25 solfs solfs.solae.local
> #127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
> #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Hmm, bit confused here, it looks like '10.0.0.22' is the ipaddress of
the machine you are trying to join, but you have it commented out in
/etc/hosts , I would suggest you remove the comment '#' from
'10.0.0.22', '127.0.0.1' and '::1', I would also suggest you remove the
entire '10.0.0.25' line, it doesn't seem to have anything to do with
If '10.0.0.22' is the ipaddress of the client you are trying to join,
then it also seems to be trying to use itself as a nameserver:
# Generated by NetworkManager
I would suggest removing the '10.0.0.22' line from /etc/resolv.conf and
if '10.0.0.2' isn't the ipaddress of the DC, change it to the ip of the DC.
Once the changes are made, try again with:
net ads join -U Administrator
More information about the samba