[Samba] CentOS 6.8 + Samba4 + Kerberos: No credentials cache found

Ygor Thomaz ygorth at gmail.com
Wed Jul 13 17:35:35 UTC 2016 

Hi everyone,

I am trying to release a server using ‍‍CentOS 6.8 + Samba4 (Winbind - LDAP
+ Kerberos) + NSS.

I was able to join the domain, but I still getting this warning/error
message:

[root at snfs2 ~]# net ads join -U myuser
Enter myuser's password:
***gss_init_sec_context failed with [Unspecified GSS failure.  Minor code
may provide more information: No credentials cache found]***
Using short domain name -- MYDOMAIN
Joined 'SNFS2' to dns domain 'MYDOMAIN.com'

Kerberos delivers the ticket normally:

[root at snfs2 ~]# kinit myuser
Password for myuser at DPPTORONTO.COM:
[root at snfs2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: myuser at MYDOMAIN.COM

Valid starting     Expires            Service principal
07/13/16 12:44:49  07/13/16 22:44:51  krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
    renew until 07/13/16 22:44:49

Below, you can find my configuration content:

[root at snfs2 ~]# cat /etc/samba/smb.conf

#####################
## GLOBAL SETTINGS ##
#####################
[global]
   workgroup = MYDOMAIN
   realm = MYDOMAIN.COM
   security = ads
   server string = snfs2.MYDOMAIN.com
   server max protocol = SMB3
   encrypt passwords = true
   unix extensions = false
   client use spnego = true

   ## winbind
   winbind use default domain = true
   winbind offline logon = false
   winbind cache time = 300
   winbind nested groups = true
   winbind enum users = true
   winbind enum groups = true
   winbind refresh tickets = true
   winbind nss info = rfc2307
   winbind rpc only = false

   idmap config * : range = 16777216-33554431
   ## idmap config MYDOMAIN ##
   idmap config MYDOMAIN : backend = nss
   idmap config MYDOMAIN : schema_mode = rfc2307
   idmap config MYDOMAIN : range = 1000-999999
   idmap config MYDOMAIN : readonly = true

   ## logging
   log file = /var/log/samba/log.%m
   max log size = 2000
   log level = 2
   syslog only = true

   ## printers
   load printers = no
   printcap = /dev/null
   disable spoolss = yes

[root at snfs2 ~]# net ads testjoin
gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
provide more information: No credentials cache found]
Join is OK

[root at snfs2 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# Note: Heimdal 1.3.1 deprecated DES encryption which is required for A`D
authentication before Windows Server 2008.
allow_weak_crypto = true

[realms]
MYDOMAIN.COM = {
kdc = MYDOMAIN1.MYDOMAIN.com:88
kdc = MYDOMAIN2.MYDOMAIN.com:88
admin_server = MYDOMAIN1.MYDOMAIN.com:749
}

[domain_realm]
MYDOMAIN.com = MYDOMAIN.COM
.MYDOMAIN.com = MYDOMAIN.COM

nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

Btw, I can access my samba share perfectly from my clients. I have exactly
the same configuration running normally at CentOS 7.2. No GSS msgs!

Does anyone have any idea what is causing this message?

Thank you!

--
Ygor Thomaz
Website: http://www.ygorthomaz.net/
"Be the change that you wish to see in the world." ― Mahatma Gandhi

More information about the samba mailing list