[Samba] CentOS 6.8 + Samba4 + Kerberos: No credentials cache found
Rowland penny
rpenny at samba.org
Wed Jul 13 18:22:29 UTC 2016
On 13/07/16 18:35, Ygor Thomaz wrote:
> Hi everyone,
>
> I am trying to release a server using CentOS 6.8 + Samba4 (Winbind - LDAP
> + Kerberos) + NSS.
>
> I was able to join the domain, but I still getting this warning/error
> message:
>
> [root at snfs2 ~]# net ads join -U myuser
> Enter myuser's password:
> ***gss_init_sec_context failed with [Unspecified GSS failure. Minor code
> may provide more information: No credentials cache found]***
> Using short domain name -- MYDOMAIN
> Joined 'SNFS2' to dns domain 'MYDOMAIN.com'
did you run 'kinit myuser' before trying to join to the domain?
> Kerberos delivers the ticket normally:
>
> [root at snfs2 ~]# kinit myuser
> Password for myuser at DPPTORONTO.COM:
> [root at snfs2 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: myuser at MYDOMAIN.COM
>
> Valid starting Expires Service principal
> 07/13/16 12:44:49 07/13/16 22:44:51 krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
> renew until 07/13/16 22:44:49
>
> Below, you can find my configuration content:
>
> [root at snfs2 ~]# cat /etc/samba/smb.conf
>
> #####################
> ## GLOBAL SETTINGS ##
> #####################
> [global]
> workgroup = MYDOMAIN
> realm = MYDOMAIN.COM
> security = ads
> server string = snfs2.MYDOMAIN.com
> server max protocol = SMB3
> encrypt passwords = true
> unix extensions = false
> client use spnego = true
>
> ## winbind
> winbind use default domain = true
> winbind offline logon = false
> winbind cache time = 300
> winbind nested groups = true
> winbind enum users = true
> winbind enum groups = true
> winbind refresh tickets = true
> winbind nss info = rfc2307
> winbind rpc only = false
>
> idmap config * : range = 16777216-33554431
> ## idmap config MYDOMAIN ##
> idmap config MYDOMAIN : backend = nss
> idmap config MYDOMAIN : schema_mode = rfc2307
> idmap config MYDOMAIN : range = 1000-999999
> idmap config MYDOMAIN : readonly = true
I not sure if you can use the 'nss' backend with AD and 'security = ads'
says you are using AD. if you read the idmap_nss manpage, you will find
this:
The idmap_nss plugin provides a means to map Unix users and
groups to
Windows accounts and obsoletes the "winbind trusted domains only"
smb.conf option. This provides a simple means of ensuring that
the SID
for a Unix user named jsmith is reported as the one assigned to
DOMAIN\jsmith which is necessary for reporting ACLs on files and
printers stored on a Samba member server.
You cannot have a Unix user called 'jsmith' and a user called 'jsmith'
in AD, you can have one or the other, but not both.
You can however have a user called 'jsmith' in AD with the necessary
rfc2307 attributes that will also make the user a Unix user. I suggest
you see here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Rowland
More information about the samba
mailing list