[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
Rowland penny
rpenny at samba.org
Sat Apr 9 10:24:53 UTC 2016
On 09/04/16 11:09, Lists wrote:
> First at all the ip of Samba AD DC is 10.0.0.22 and the smb.conf of this ad server is the following:
> [global]
> workgroup = SOLAE
> realm = SOLAE.LOCAL
> #security = ads
> # Use password server option only with security = server
> #password server = solad.solae.local
> netbios name = SOLAD
> server role = active directory domain controller
> dns forwarder = 10.0.0.2
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/solae.local/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>> Like this:
>>
>> [global]
>> netbios name = SOLAD
>> security = ADS
>> workgroup = SOLAE
>> realm = SOLAE.LOCAL
>> log file = /var/log/samba/%m.log
>> log level = 1
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind refresh tickets = yes
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> # Important: The ranges of the default (*) idmap config
>> # and the domain(s) must not overlap!
>> # Default idmap config used for BUILTIN and local accounts/groups
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> # idmap config for domain SOLAE
>> idmap config SOLAE:backend = rid
>> idmap config SOLAE:range = 10000-99999
>> # Use template settings for login shell and home directory
>> winbind nss info = template
>> template shell = /sbin/bash
>> template homedir = /home/%U
> I have change and /etc/hosts:
>
> 10.0.0.22 solad solad.solae.local
> 10.0.0.25 solfs solfs.solae.local
> 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
>
> I changed the smb.conf as previous and I take the same massage:
>
> net ads join -U Administrator
> Enter Administrator's password:
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Miscellaneous failure (see text) : Server (ldap/solad.solae.local at SOLAE.LOCAL) unknown
> Failed to join domain: failed to connect to AD: Miscellaneous failure (see text) : Server (ldap/solad.solae.local at SOLAE.LOCAL) unknown
>
> Also take a look to the link https://wiki.samba.org/index.php/Idmap_config_rid.
>
>
>
> ----- Αρχικό μήνυμα -----
> Από: "Rowland penny" <rpenny at samba.org>
> Προς: "Lists" <list at solae.gr>, "samba" <samba at lists.samba.org>
> Απεσταλμένα: Σάββατο, Απρίλιος 9, 2016 12:54:50 μ.μ.
> Θέμα: Re: [Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
>
> Taking this back on list where it belongs:
> et ads join -U Administrator
> Enter Administrator's password:
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Miscellaneous failure (see text) : Server (ldap/solad.solae.local at SOLAE.LOCAL) unknown
> Failed to join domain: failed to connect to AD: Miscellaneous failure (see text) : Server (ldap/solad.solae.local at SOLAE.LOCAL) unknown
>
> On 09/04/16 10:31, Lists wrote:
>>> Are you 100% sure it is off, even better would be to remove it (or
>>> change '.local' to something else)
>> yes I am.
>>
>> systemctl list-unit-files | grep avahi
>> avahi-daemon.service disabled
>> avahi-daemon.socket disabled
>>
> OK
>
>>> Try making your smb.conf look like the example one on the wiki page,
>>> this is known to work.
>> ???
> Like this:
>
> [global]
> netbios name = SOLAD
> security = ADS
> workgroup = SOLAE
> realm = SOLAE.LOCAL
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> # Important: The ranges of the default (*) idmap config
> # and the domain(s) must not overlap!
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain SOLAE
> idmap config SOLAE:backend = rid
> idmap config SOLAE:range = 10000-99999
>
> # Use template settings for login shell and home directory
> winbind nss info = template
> template shell = /sbin/bash
> template homedir = /home/%U
>
>> https://wiki.samba.org/index.php/Idmap_config_rid
>>
>>> Does the machine you are trying to join, have the DCs ipaddress as the
>>> first (and preferably only) nameserver in /etc/resolv.conf ?
>> here is the /etc/resolv.conf
>>
>> # Generated by NetworkManager
>> search solae.local
>> nameserver 10.0.0.22
>> nameserver 10.0.0.2
>>
>>> Are you using dhcp on the domain member you are trying to join ?
>>> If so, is your DHCP server sending the full and correct data ?
>> No. I am not using DHCP.
>>
>>> Do you have a line starting 127.0.1.1 in /etc/hosts, if so. I would
>> ?suggest removing it.
>>
>> here is the /etc/hosts
>>
>> #10.0.0.22 solad solad.solae.local
>> 10.0.0.25 solfs solfs.solae.local
>> #127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
>> #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
>>
>>
>
Getting even more confused now:
You tell me that the ip of the AD DC is: 10.0.0.22
Your new /etc/hosts says that 10.0.0.22 has the hostname: solad (note
this shouldn't be in /etc/hosts on the domain member)
You original post had this:
[global]
netbios name = SOLAD
workgroup = SOLAE
realm = SOLAE.LOCAL
security = ADS
server role = member server
You have now posted this:
[global]
workgroup = SOLAE
realm = SOLAE.LOCAL
#security = ads
# Use password server option only with security = server
#password server = solad.solae.local
netbios name = SOLAD
server role = active directory domain controller
Notice any similarity ?? I will give you a hint
Domain member: netbios name = SOLAD
AD DC : netbios name = SOLAD
The netbios name *must* be the short hostname of the computer, therefore
they cannot be the same.
Rowland
More information about the samba
mailing list