[Samba] openindiana GSSAPI failure to samba 4.6.6

L.P.H. van Belle belle at bazuin.nl
Mon Jul 31 12:25:34 UTC 2017 

Hai, 

You have 3 places to look where you keytab can be found. 

When kerberos method is set to "dedicated keytab" see the parameter. 
 dedicated keytab file = /where/your/krb5.keytab is configured.

The system default keytab ( on my debian system ) /etc/krb5.keytab 
Yours might be in :  /etc/krb5/krb5.keytab  

The samba keytab if  "dedicated keytab file"  is not used. 
( on my debian system ) 
/var/lib/samba/private/secret.keytab 

And check them all 
klist -ke /var/lib/samba/private/secret.keytab  
klist -ke /etc/krb5/krb5.keytab 



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> mathias dufresne via samba
> Verzonden: maandag 31 juli 2017 10:59
> Aan: Greg Dickie
> CC: samba
> Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
> 
> 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba 
> <samba at lists.samba.org>:
> 
> > Hi,
> >
> >  We recently updated our AD servers to 4.6.6 and one of the things 
> > that stopped working was our zfs server running illumos. The idmap 
> > daemon is trying to bind to ldap using sasl/GSSAPI and is 
> failing with
> >
> > additional info: SASL(-1): generic failure: GSSAPI Error: 
> Unspecified 
> > GSS failure.  Minor code may provide more information (Client not 
> > found in Kerberos database)
> >
> > I think this is usually caused by DNS inconsistencies but everthing 
> > looks fine and it was working before the upgrade.
> >
> > klist shows tickets
> >
> 
> I don't think this is relevant: for what I feel to have 
> understood Samba generates its own tickets somewhere but not 
> in /tmp, not available with klist.
(Client not found in Kerberos database)

> 
> 
> > and doing and ldapsearch on the command line using GSSAPI seems to 
> > work fine.
> >
> 
> That's a good point... until you are using same account and 
> keytab as Samba.
> 
> 
> >
> > Has anyone encountered this? Any idea how to debug?
> >
> 
> No.
> But machine accounts have a password and this password is 
> supposed to change in MS AD. I'm not sure it is changing with 
> Samba AD but it could as Samba means to reproduce MS AD behavior.
> 
> No idea about illumos but the klist you mentioned as the 
> ldapsearch using the ticket of that klist have to be tested 
> using the very same account used by illumos and the same 
> keytab if any.
> 
> You could check that account to see it was modified since the 
> update you mentioned (pwdLastSet, whenChanged).
> 
> No idea if this could help, just a try...
> 
> 
> >
> > Thanks,
> > Greg
> >
> > --
> >
> >
> > Greg Dickie
> > just a guy
> > 514-983-5400
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list