[Samba] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

Mon Jun 24 11:12:25 UTC 2024

On 24-06-2024 12:42, Rowland Penny via samba wrote:
> On Mon, 24 Jun 2024 11:19:03 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> On 24-06-2024 11:07, Omnis ludis - games via samba wrote:
>>> thank you
>>>
>>> пн, 24 июн. 2024 г. в 12:07, Rowland Penny via samba
>>> <samba at lists.samba.org
>>>> :
>>>> On Mon, 24 Jun 2024 11:52:17 +0300
>>>> Omnis ludis - games via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> Good afternoon, please tell me there is such an infrastructure
>>>>> windows domain and samba domain between them, one-sided external
>>>>> outgoing trust relationships are set up, so that users from the
>>>>> windows domain can freely enter the samba domain, I entered the
>>>>> client into the samba domain and all users from the samba domain
>>>>> can safely pass to this client, but that's not the task of users
>>>>> they do not want to authenticate from the windows domain in any
>>>>> way when I try to log in to a client from the samba domain under
>>>>> them, I get the following error in sssd on the client, GSSAPI
>>>>> Error: Unspecified GSS failure. Minor code may provide more
>>>>> information (Server not found in Kerberos database), do I
>>>>> understand correctly that this works like this, the client
>>>>> accesses the samba domain controller, since there is no given
>>>>> user in samba, the request is redirected to the windows domain
>>>>> controller and that in turn must provide information about this
>>>>> to users from its database kerberos? but for some reason this
>>>>> does not happen, does anyone have at least some information on
>>>>> this error, I have already tried many different scenarios and can
>>>>> not log in as a user in any way, as if samba does not process
>>>>> information correctly, while if you build a two-way trusting
>>>>> relationship, then everything works as it should
>> This is a generic kerberos error, you can find numerous pages with
>> suggestions on the net.
>>
>> I have seen errors like this one a few times (e.g. with gssapi from
>> Apache), there are a lot of possible issues. Some I have come across:
>>
>> -  EncTypes must be set on the machine account in the DC (and there
>> must be an overlap with the ones in the client's krb5.conf).
>>
>> - The machine password must be set on the account in the DC.
>>
>> - The kvno of the keytab entries on the client must match with the
>> DC. Each time the password on the machine account is changed a new
>> kvno is set on the keytab, so it must be exported to the client again.
>>
>> Hopefully this helps :-)
>>
> It might be a password problem, but sssd is involved and, from my
> perspective, if you are using 'security = ADS', then you must run
> winbind and if winbind is running, then there is no point to be also
> running sssd, winbind & sssd do virtually the same thing and if sssd
> isn't setup correctly, then once a month it can stop winbind in its
> tracks.
>
> Rowland
>
In this case it is an error generated by the Kerberos library used by 
the client (here sssd, I used apache back then). It tells us the 
kerberos authentication is not working, not due to authentication 
failure but due to authentication not possible.

 From my experience the cause of this generic error is more likely the 
one-way trust or something with the service account / computer account 
(e.g. EncTypes mismatch, kvno mismatch) or /etc/krb5.conf than it being 
caused by sssd (although we can't rule it out).

In this particular case I would bet on the one-way trust, as that could 
cause the kerberos ticket no to work properly and that matches with what 
the error expresses.

- Kees.