[Samba] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

[Rowland Penny]

On Mon, 24 Jun 2024 11:19:03 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:

> 
> On 24-06-2024 11:07, Omnis ludis - games via samba wrote:
> > thank you
> >
> > пн, 24 июн. 2024 г. в 12:07, Rowland Penny via samba
> > <samba at lists.samba.org
> >> :
> >> On Mon, 24 Jun 2024 11:52:17 +0300
> >> Omnis ludis - games via samba <samba at lists.samba.org> wrote:
> >>
> >>> Good afternoon, please tell me there is such an infrastructure
> >>> windows domain and samba domain between them, one-sided external
> >>> outgoing trust relationships are set up, so that users from the
> >>> windows domain can freely enter the samba domain, I entered the
> >>> client into the samba domain and all users from the samba domain
> >>> can safely pass to this client, but that's not the task of users
> >>> they do not want to authenticate from the windows domain in any
> >>> way when I try to log in to a client from the samba domain under
> >>> them, I get the following error in sssd on the client, GSSAPI
> >>> Error: Unspecified GSS failure. Minor code may provide more
> >>> information (Server not found in Kerberos database), do I
> >>> understand correctly that this works like this, the client
> >>> accesses the samba domain controller, since there is no given
> >>> user in samba, the request is redirected to the windows domain
> >>> controller and that in turn must provide information about this
> >>> to users from its database kerberos? but for some reason this
> >>> does not happen, does anyone have at least some information on
> >>> this error, I have already tried many different scenarios and can
> >>> not log in as a user in any way, as if samba does not process
> >>> information correctly, while if you build a two-way trusting
> >>> relationship, then everything works as it should
> This is a generic kerberos error, you can find numerous pages with 
> suggestions on the net.
> 
> I have seen errors like this one a few times (e.g. with gssapi from 
> Apache), there are a lot of possible issues. Some I have come across:
> 
> -  EncTypes must be set on the machine account in the DC (and there
> must be an overlap with the ones in the client's krb5.conf).
> 
> - The machine password must be set on the account in the DC.
> 
> - The kvno of the keytab entries on the client must match with the
> DC. Each time the password on the machine account is changed a new
> kvno is set on the keytab, so it must be exported to the client again.
> 
> Hopefully this helps :-)
> 

It might be a password problem, but sssd is involved and, from my
perspective, if you are using 'security = ADS', then you must run
winbind and if winbind is running, then there is no point to be also
running sssd, winbind & sssd do virtually the same thing and if sssd
isn't setup correctly, then once a month it can stop winbind in its
tracks.

Rowland