[Samba] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

Kees van Vloten keesvanvloten at gmail.com
Mon Jun 24 09:19:03 UTC 2024 

On 24-06-2024 11:07, Omnis ludis - games via samba wrote:
> thank you
>
> пн, 24 июн. 2024 г. в 12:07, Rowland Penny via samba <samba at lists.samba.org
>> :
>> On Mon, 24 Jun 2024 11:52:17 +0300
>> Omnis ludis - games via samba <samba at lists.samba.org> wrote:
>>
>>> Good afternoon, please tell me there is such an infrastructure windows
>>> domain and samba domain between them, one-sided external outgoing
>>> trust relationships are set up, so that users from the windows domain
>>> can freely enter the samba domain, I entered the client into the
>>> samba domain and all users from the samba domain can safely pass to
>>> this client, but that's not the task of users they do not want to
>>> authenticate from the windows domain in any way when I try to log in
>>> to a client from the samba domain under them, I get the following
>>> error in sssd on the client, GSSAPI Error: Unspecified GSS failure.
>>> Minor code may provide more information (Server not found in Kerberos
>>> database), do I understand correctly that this works like this, the
>>> client accesses the samba domain controller, since there is no given
>>> user in samba, the request is redirected to the windows domain
>>> controller and that in turn must provide information about this to
>>> users from its database kerberos? but for some reason this does not
>>> happen, does anyone have at least some information on this error, I
>>> have already tried many different scenarios and can not log in as a
>>> user in any way, as if samba does not process information correctly,
>>> while if you build a two-way trusting relationship, then everything
>>> works as it should
This is a generic kerberos error, you can find numerous pages with 
suggestions on the net.

I have seen errors like this one a few times (e.g. with gssapi from 
Apache), there are a lot of possible issues. Some I have come across:

-  EncTypes must be set on the machine account in the DC (and there must 
be an overlap with the ones in the client's krb5.conf).

- The machine password must be set on the account in the DC.

- The kvno of the keytab entries on the client must match with the DC. 
Each time the password on the machine account is changed a new kvno is 
set on the keytab, so it must be exported to the client again.

Hopefully this helps :-)

- Kees.

>> I suggest you should ask this question on the sssd-users mailing list.
>> Samba does not produce sssd and hence, little is known about it.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list