[Samba] CentOS 6.8 + Samba4 + Kerberos: No credentials cache found

Wed Jul 13 18:22:29 UTC 2016

On 13/07/16 18:35, Ygor Thomaz wrote:
> Hi everyone,
>
> I am trying to release a server using ‍‍CentOS 6.8 + Samba4 (Winbind - LDAP
> + Kerberos) + NSS.
>
> I was able to join the domain, but I still getting this warning/error
> message:
>
> [root at snfs2 ~]# net ads join -U myuser
> Enter myuser's password:
> ***gss_init_sec_context failed with [Unspecified GSS failure.  Minor code
> may provide more information: No credentials cache found]***
> Using short domain name -- MYDOMAIN
> Joined 'SNFS2' to dns domain 'MYDOMAIN.com'

did you run 'kinit myuser' before trying to join to the domain?

> Kerberos delivers the ticket normally:
>
> [root at snfs2 ~]# kinit myuser
> Password for myuser at DPPTORONTO.COM:
> [root at snfs2 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: myuser at MYDOMAIN.COM
>
> Valid starting     Expires            Service principal
> 07/13/16 12:44:49  07/13/16 22:44:51  krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
>      renew until 07/13/16 22:44:49
>
> Below, you can find my configuration content:
>
> [root at snfs2 ~]# cat /etc/samba/smb.conf
>
> #####################
> ## GLOBAL SETTINGS ##
> #####################
> [global]
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN.COM
>     security = ads
>     server string = snfs2.MYDOMAIN.com
>     server max protocol = SMB3
>     encrypt passwords = true
>     unix extensions = false
>     client use spnego = true
>
>     ## winbind
>     winbind use default domain = true
>     winbind offline logon = false
>     winbind cache time = 300
>     winbind nested groups = true
>     winbind enum users = true
>     winbind enum groups = true
>     winbind refresh tickets = true
>     winbind nss info = rfc2307
>     winbind rpc only = false
>
>     idmap config * : range = 16777216-33554431
>     ## idmap config MYDOMAIN ##
>     idmap config MYDOMAIN : backend = nss
>     idmap config MYDOMAIN : schema_mode = rfc2307
>     idmap config MYDOMAIN : range = 1000-999999
>     idmap config MYDOMAIN : readonly = true

I not sure if you can use the 'nss' backend with AD and 'security = ads' 
says you are using AD. if you read the idmap_nss manpage, you will find 
this:

        The idmap_nss plugin provides a means to map Unix users and 
groups to
        Windows accounts and obsoletes the "winbind trusted domains only"
        smb.conf option. This provides a simple means of ensuring that 
the SID
        for a Unix user named jsmith is reported as the one assigned to
        DOMAIN\jsmith which is necessary for reporting ACLs on files and
        printers stored on a Samba member server.

You cannot have a Unix user called 'jsmith' and a user called 'jsmith' 
in AD, you can have one or the other, but not both.
You can however have a user called 'jsmith' in AD with the necessary 
rfc2307 attributes that will also make the user a Unix user. I suggest 
you see here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Rowland