[Samba] Samba 4.4.2 as AD server: clients OK but server fails "wbinfo -K"

Gerben Roest g.roest at grepit.nl
Thu Apr 21 08:50:48 UTC 2016 

On 21-04-16 09:33, Rowland penny wrote:
> On 20/04/16 22:24, Gerben Roest wrote:
>> I have set up a samba 4.4.2 AD server, and it works fine for its Windows
>> and Linux clients. Only the server itself behaves peculiar:
>>
>> Linux accounts show up as DOMAIN\username (in prompt and with whoami),
>> on all Linux clients the user accounts are normal (just their username),
>>
>> and only on the server "wbinfo -K username" fails. On the clients it
>> works. The server complains about that:
>>
>> 22:59:54 root at sambaserver:samba# wbinfo --verbose -K john
>> Enter john's password:
>> plaintext kerberos password authentication for [john] failed (requesting
>> cctype: FILE)
>> wbcLogonUser(john): error code was NT_STATUS_CONNECTION_DISCONNECTED
>> (0xc000020c)
>> error message was: The transport connection is now disconnected.
>> Could not authenticate user [john] with Kerberos (ccache: FILE)
>>
>> The error in /usr/local/samba-4-4/var/log.wb-DOMAIN is:
>>
>> [2016/04/20 23:00:04.704273,  1]
>> ../source3/librpc/crypto/gse_krb5.c:416(fill_mem_keytab_from_system_keytab)
>>
>>    ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
>> (No such file or directory)
>> [2016/04/20 23:00:04.704321,  0] ../lib/util/fault.c:78(fault_report)
>>    ===============================================================
>> [2016/04/20 23:00:04.704369,  0] ../lib/util/fault.c:79(fault_report)
>>    INTERNAL ERROR: Signal 11 in pid 8564 (4.4.2)
>>    Please read the Trouble-Shooting section of the Samba HOWTO
>> [2016/04/20 23:00:04.704427,  0] ../lib/util/fault.c:81(fault_report)
>>    ===============================================================
>> [2016/04/20 23:00:04.704476,  0] ../source3/lib/util.c:791(smb_panic_s3)
>>    PANIC (pid 8564): internal error
>>
>>
>> Any ideas?
>>
>> thanks
>>
>> Gerben
>>
> 
> Works for me, can you post your smb.conf from the DC

Yes, here it is:

[global]
	netbios name = SAMBASERVER
	realm = AD.DOMAIN.NL
	workgroup = DOMAIN
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
	template shell = /bin/bash
	template homedir = /home/%U
	dns forwarder = 8.8.8.8
	kerberos method = secrets and keytab
	dedicated keytab file = /usr/local/samba-4.4/private/secrets.keytab
	log level = 1
	follow symlinks = true
        wide links = yes
        unix extensions = no
	winbind use default domain = yes
	logon script = netlogon.bat
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

The clients have this:

[global]

	workgroup = DOMAIN
	security = ADS
	realm = AD.DOMAIN.NL
   idmap config *: backend = tdb
   idmap config *: range = 100000-200000
   idmap config DOMAIN : backend = ad
   idmap config DOMAIN : range = 500-30000
   idmap config DOMAIN : default = yes
   idmap config DOMAIN : schema mode = rfc2307
   winbind nss info = rfc2307

	allow trusted domains = no
	kerberos method = secrets and keytab

	winbind trusted domains only = no
	winbind use default domain = yes
	winbind enum users  = yes
	winbind enum groups = yes
	winbind refresh tickets = yes
	template shell = /bin/bash
	template homedir = /home/%U

	password server = 192.168.10.36

	client use spnego = yes
	client ntlmv2 auth = yes
	encrypt passwords = yes
	restrict anonymous = 2
	domain master = no
	local master = no
	preferred master = no
	os level = 0

I have added the 7 lines from the client from idmap config until winbind
nss to the server's smb.conf, but that didn't help.

thanks, best regards
Gerben

More information about the samba mailing list