[Samba] Problem with keytab: "Client not found in Kerberos database"

Brian Candler b.candler at pobox.com
Tue Dec 20 10:13:14 UTC 2016

L.P.H. van Belle wrote:
 > start with fixing the overlapping idmap config.
 > that wont help.

I don't think they are overlapping: I used 100,000-999,999 for rid and 
1,000,000 to 9,999,999 for autorid.

 > check again if host.fqdn a and ptr exists in the dns.

# dig +short wrn-radtest.ad.example.net. a
# dig +short -x

 > check resolv.conf

Points to two nearby instances of pdns recursor, which in turn forward 
domains "ad.example.net" and "5.168.192.in-addr.arpa" to the Samba servers.

 > make sure your primary domain is listed first.

It only has "ad.example.net" in the search section.

 > you left and rejoined the domain, so you can try regenerateing your 
keytab file also.

Yep, did that, no difference.

Rowland Penny wrote:

 > No, start by using the correct thing for '*':
 >  idmap config * : backend = tdb
 >  idmap config * : range = 1000000-9999999

I wasn't aware that the default *had* to be tdb; the manpage at
gives examples which don't use tdb at all, e.g.

	security = ads
	workgroup = CUSTOMER

	idmap config * : backend = autorid
	idmap config * : range = 1000000-1999999

Is it really wrong to use autorid for this?

Anyway: I have followed your advice, switched to tdb, left and rejoined 
domain, and regenerated the keytab. The problem is still there.

While doing this I found one stupid problem which was visible in my 
original post:

         imdap config AD : backend = rid

Arrgh!!!  (I noticed this because getent passwd 'AD\brian' started 
returning a tdb-assigned ID 1000000 instead of the RID-based ID)

But after fixing that (and net cache flush and restarting winbind), 
still no joy:

root at wrn-radtest:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD
Joined 'WRN-RADTEST' to dns domain 'ad.example.net'
DNS Update for wrn-radtest.ad.example.net failed: ERROR_DNS_UPDATE_FAILED
root at wrn-radtest:~# rm /etc/krb5.keytab
root at wrn-radtest:~# net ads keytab create -P
root at wrn-radtest:~# kdestroy
root at wrn-radtest:~# kinit -k -t /etc/krb5.keytab
root at wrn-radtest:~# ldapsearch -Y GSSAPI -b 'dc=ad,dc=example,dc=net' -h 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
     additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Client not found in Kerberos database)

root at wrn-radtest:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET

Valid starting       Expires              Service principal
12/20/2016 09:52:51  12/20/2016 19:52:51 
     renew until 12/21/2016 09:52:51

I assume the DNS update error on re-joining is just because there was an 
existing DNS entry. Indeed: if I leave the domain, remove the DNS 
record, and then join again, there is no error:

root at wrn-radtest:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD
Joined 'WRN-RADTEST' to dns domain 'ad.example.net'
root at wrn-radtest:~#

But still I can't use the keytab ticket for LDAP auth.

To be honest: I think the UID mapping is a red herring. If I underestand 
correctly, mapping RID to unix UID is something which is local to the 
client system. I can't see how it would affect our Kerberos ticket being 
accepted by the LDAP server.

I will keep digging...



More information about the samba mailing list