[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed

Rowland penny rpenny at samba.org
Sat Apr 9 09:54:50 UTC 2016 

Taking this back on list where it belongs:


On 09/04/16 10:31, Lists wrote:
>> Are you 100% sure it is off, even better would be to remove it (or
>> change '.local' to something else)
> yes I am.
>
> systemctl list-unit-files | grep avahi
> avahi-daemon.service                        disabled
> avahi-daemon.socket                         disabled
>

OK

>> Try making your smb.conf look like the example one on the wiki page,
>> this is known to work.
> ???

Like this:

[global]
        netbios name = SOLAD
        security = ADS
        workgroup = SOLAE
        realm = SOLAE.LOCAL

        log file = /var/log/samba/%m.log
        log level = 1

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        winbind refresh tickets = yes

        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes

        # Important: The ranges of the default (*) idmap config
        # and the domain(s) must not overlap!

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # idmap config for domain SOLAE
        idmap config SOLAE:backend = rid
        idmap config SOLAE:range = 10000-99999

        # Use template settings for login shell and home directory
        winbind nss info = template
        template shell = /sbin/bash
        template homedir = /home/%U

>
> https://wiki.samba.org/index.php/Idmap_config_rid
>
>> Does the machine you are trying to join, have the DCs ipaddress as the
>> first (and preferably only) nameserver in /etc/resolv.conf ?
> here is the /etc/resolv.conf
>
> # Generated by NetworkManager
> search solae.local
> nameserver 10.0.0.22
> nameserver 10.0.0.2
>
>> Are you using dhcp on the domain member you are trying to join ?
>> If so, is your DHCP server sending the full and correct data ?
> No. I am not using DHCP.
>
>> Do you have a line starting 127.0.1.1 in /etc/hosts, if so. I would
> ?suggest removing it.
>
> here is the /etc/hosts
>
> #10.0.0.22	solad	solad.solae.local
> 10.0.0.25	solfs	solfs.solae.local
> #127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
> #::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
>
>

Hmm, bit confused here, it looks like '10.0.0.22' is the ipaddress of 
the machine you are trying to join, but you have it commented out in 
/etc/hosts , I would suggest you remove the comment '#' from 
'10.0.0.22', '127.0.0.1' and '::1', I would also suggest you remove the 
entire '10.0.0.25' line, it doesn't seem to have anything to do with 
this client.

If '10.0.0.22' is the ipaddress of the client you are trying to join, 
then it also seems to be trying to use itself as a nameserver:

# Generated by NetworkManager
search solae.local
nameserver 10.0.0.22
nameserver 10.0.0.2

I would suggest removing the '10.0.0.22' line from /etc/resolv.conf and 
if '10.0.0.2' isn't the ipaddress of the DC, change it to the ip of the DC.

Once the changes are made, try again with:

net ads join -U Administrator


Rowland

More information about the samba mailing list