[Samba] [samba] ldapsearch & GSSAPI => Server not found in Kerberos database

mathias dufresne infractory at gmail.com
Tue Jun 7 15:50:06 UTC 2016 

More information, making me more crazy:
- ldapsearch without SASL is working from any host:
 ldapsearch  -D 'CN=user-ldapmodify,OU=OurUsers,DC=ad,DC=domain,dc=tld' -w
Passw0rd -x -ZZ -b 'dc=ad,DC=domain,dc=tld' -h dc106
sAMAccountName=administrator dn

- ldapsearch with SASL is not working (Kerberos ticket existing following a
working kinit) from any host but it works when launched from the
non-working-server
kinit -k -t administrator.keytab administrator
ldapsearch -Y GSSAPI -b 'dc=ad,dc=domain,dc=tld' -h dc106
sAMAccountName=administrator dn -d256

- kinit works from any tested host (exporting KRB5_CONFIG variable to point
to a krb5.conf forcing usage of my non-working-server)
with config containing:
[libdefaults]
        default_realm = AD.DOMAIN.TLD

[realms]
        AD.DOMAIN.TLD = {
                kdc = 10.11.12.13
}



2016-06-07 15:29 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Hi all,
>
> I've got on AD DC using Samba 4.4.3 on Centos7 which accept Kerberos
> connections (kinit is working), which accept ldapsearch with credentials
> but which refuse ldapsearch with GSSAPI.
>
> The issue does not seem to be coming from the client as I discovered this
> issue writing a script to test all 22 DC, and all 21 others DC are working
> well from that client.
>
> The error:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information (Server
> not found in Kerberos database)
>
> I did reinstall the whole server ('cause I'm lazy, hoping the issue
> disappear by itself) but the issue was the same, i did reinstall it again
> (a script do that, I'm really lazy) but after demoting it from FSMO owner
> with --remove-other-dead-server, same issue.
>
> All DCs have same configuration file, as it'sa  script which manage
> installation I expect they are all identical and so I'm totally puzzled
> facing this issue. If anyone has some idea, some leads, I take it : )
>

More information about the samba mailing list