[Samba] Problem with keytab: "Client not found in Kerberos database"
Brian Candler
b.candler at pobox.com
Tue Dec 20 10:13:14 UTC 2016
L.P.H. van Belle wrote:
> start with fixing the overlapping idmap config.
> that wont help.
I don't think they are overlapping: I used 100,000-999,999 for rid and
1,000,000 to 9,999,999 for autorid.
> check again if host.fqdn a and ptr exists in the dns.
# dig +short wrn-radtest.ad.example.net. a
192.168.5.83
# dig +short -x 192.168.5.83
wrn-radtest.ad.example.net.
> check resolv.conf
Points to two nearby instances of pdns recursor, which in turn forward
domains "ad.example.net" and "5.168.192.in-addr.arpa" to the Samba servers.
> make sure your primary domain is listed first.
It only has "ad.example.net" in the search section.
> you left and rejoined the domain, so you can try regenerateing your
keytab file also.
Yep, did that, no difference.
Rowland Penny wrote:
> No, start by using the correct thing for '*':
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000-9999999
I wasn't aware that the default *had* to be tdb; the manpage at
https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html
gives examples which don't use tdb at all, e.g.
[global]
security = ads
workgroup = CUSTOMER
realm = CUSTOMER.COM
idmap config * : backend = autorid
idmap config * : range = 1000000-1999999
Is it really wrong to use autorid for this?
Anyway: I have followed your advice, switched to tdb, left and rejoined
domain, and regenerated the keytab. The problem is still there.
While doing this I found one stupid problem which was visible in my
original post:
imdap config AD : backend = rid
Arrgh!!! (I noticed this because getent passwd 'AD\brian' started
returning a tdb-assigned ID 1000000 instead of the RID-based ID)
But after fixing that (and net cache flush and restarting winbind),
still no joy:
root at wrn-radtest:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD
Joined 'WRN-RADTEST' to dns domain 'ad.example.net'
DNS Update for wrn-radtest.ad.example.net failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
root at wrn-radtest:~# rm /etc/krb5.keytab
root at wrn-radtest:~# net ads keytab create -P
root at wrn-radtest:~# kdestroy
root at wrn-radtest:~# kinit -k -t /etc/krb5.keytab
root at wrn-radtest:~# ldapsearch -Y GSSAPI -b 'dc=ad,dc=example,dc=net' -h
wrn-dc1.ad.example.net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Client not found in Kerberos database)
root at wrn-radtest:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
Valid starting Expires Service principal
12/20/2016 09:52:51 12/20/2016 19:52:51
krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET
renew until 12/21/2016 09:52:51
I assume the DNS update error on re-joining is just because there was an
existing DNS entry. Indeed: if I leave the domain, remove the DNS
record, and then join again, there is no error:
root at wrn-radtest:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD
Joined 'WRN-RADTEST' to dns domain 'ad.example.net'
root at wrn-radtest:~#
But still I can't use the keytab ticket for LDAP auth.
To be honest: I think the UID mapping is a red herring. If I underestand
correctly, mapping RID to unix UID is something which is local to the
client system. I can't see how it would affect our Kerberos ticket being
accepted by the LDAP server.
I will keep digging...
Thanks,
Brian.
More information about the samba
mailing list