[Samba] Debian 4.17.3 Kerberos/SPNEGO

Dale samba at txschroeder.family
Fri Nov 25 16:33:40 UTC 2022

I've been following all the threads about Debian's samba 4.17.3+dfsg-1 
and dfsg-2 to see if the answer for my broken shares would be revealed.  
While similar, I haven't seen the exact same problem, so this may be an 

Following is the history.

Debian bullseye 64-bit with 4.17.3+dfsg-1 from backports -- no problems, 
and the shares keep working.  It sounds like that is to be expected.

Debian bookworm 32-bit with 4.17.3+dfsg-1 -- all shares inaccessible, 
but were restored by dfsg-2.  Again, that seems to be expected.

Debian bookworm 64-bit with 4.17.3+dfsg-1 -- all shares inaccessible and 
_not_ restored by dfsg-2.  This, I did not expect.  A simple kinit on 
this system succeeds, however "net ads testjoin" results in the error 
message below, while telling me the join is good.

> gse_get_client_auth_token: gss_init_sec_context failed with [ 
> Miscellaneous failure (see text): FAST fast response is missing 
> FX-FAST (ldap/dc1.domain.realm.tld at DOMAIN.REALM.TLD)](2529639059)
> ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos 
> failed for ldap/dc1.domain.realm.tld - user[AM1100$], 
> realm[DOMAIN.REALM.TLD]: The attempted logon is invalid. This is 
> either due to a bad username or authentication information.
> Join is OK

Because of this weirdness, out of an abundance of caution, I have not 
updated the bullseye 64-bit system, as that is where the most important 
shares are located.

Has anyone seen this error before?


More information about the samba mailing list