[Samba] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

Kees van Vloten keesvanvloten at gmail.com
Mon Jun 24 12:01:21 UTC 2024

On 24-06-2024 13:21, Omnis ludis - games wrote:
> butthe encryptionthatis onsambathatis onthe clientis the sameandthe 
> keytabisonlyonthe clientandhowto understandif the kvnois 
> specifiedcorrectlyinit, you needto checkhowthekvnoof the accountinthe 
> sambadatabase?

Get keytab on the client:

sudo net ads keytab list  # if you are using winbind or at least have 
'net' installed


sudo klist -kte /etc/krb5.keytab   # assuming this is where the keytab 
file is

Export a one principal keytab from samba.
Run on the DC with sufficient permissions:

samba-tool domain exportkeytab -d 8 <temp-export-file> 
ktlist -kte <temp-export-file>
# Compare kvno, local keytab must have at least the kvno that samba DC has
# Also check encryption types between the two files and check them with 
settings in /etc/krb5.conf:
#   e.g. permitted_enctypes =
rm <temp-export-file

If there is a mismatch in kvno: use 'net ads keyab add' to update 
/etc/krb5.keytab or the sssd equivalent for that. Run it for each 
principal in the keytab.

Also check that a password on the service / machine account is set. 
Without it ever set Kerberos authentication is not possible. For 
accounts created or updated by a domain-join this is not an issue as it 
will be set by the join.

You can also get a clue from the auth-audit logging on the DC. Ensure 
you a line similar to this on the DC  in /etc/samba/smb.conf

         log level = 3 auth_json_audit:3@/var/log/samba/audit_auth.log

Restart the DC service after modifying /etc/samba/smb.conf. Auth-audit 
logging on the server is more explicit than client-side logging in most 

- Kees.

> пн, 24 июн. 2024 г. в 14:13, Kees van Vloten via samba 
> <samba at lists.samba.org>:
>     On 24-06-2024 12:42, Rowland Penny via samba wrote:
>     > On Mon, 24 Jun 2024 11:19:03 +0200
>     > Kees van Vloten via samba <samba at lists.samba.org> wrote:
>     >
>     >> On 24-06-2024 11:07, Omnis ludis - games via samba wrote:
>     >>> thank you
>     >>>
>     >>> пн, 24 июн. 2024 г. в 12:07, Rowland Penny via samba
>     >>> <samba at lists.samba.org
>     >>>> :
>     >>>> On Mon, 24 Jun 2024 11:52:17 +0300
>     >>>> Omnis ludis - games via samba <samba at lists.samba.org> wrote:
>     >>>>
>     >>>>> Good afternoon, please tell me there is such an infrastructure
>     >>>>> windows domain and samba domain between them, one-sided external
>     >>>>> outgoing trust relationships are set up, so that users from the
>     >>>>> windows domain can freely enter the samba domain, I entered the
>     >>>>> client into the samba domain and all users from the samba domain
>     >>>>> can safely pass to this client, but that's not the task of users
>     >>>>> they do not want to authenticate from the windows domain in any
>     >>>>> way when I try to log in to a client from the samba domain under
>     >>>>> them, I get the following error in sssd on the client, GSSAPI
>     >>>>> Error: Unspecified GSS failure. Minor code may provide more
>     >>>>> information (Server not found in Kerberos database), do I
>     >>>>> understand correctly that this works like this, the client
>     >>>>> accesses the samba domain controller, since there is no given
>     >>>>> user in samba, the request is redirected to the windows domain
>     >>>>> controller and that in turn must provide information about this
>     >>>>> to users from its database kerberos? but for some reason this
>     >>>>> does not happen, does anyone have at least some information on
>     >>>>> this error, I have already tried many different scenarios
>     and can
>     >>>>> not log in as a user in any way, as if samba does not process
>     >>>>> information correctly, while if you build a two-way trusting
>     >>>>> relationship, then everything works as it should
>     >> This is a generic kerberos error, you can find numerous pages with
>     >> suggestions on the net.
>     >>
>     >> I have seen errors like this one a few times (e.g. with gssapi from
>     >> Apache), there are a lot of possible issues. Some I have come
>     across:
>     >>
>     >> -  EncTypes must be set on the machine account in the DC (and there
>     >> must be an overlap with the ones in the client's krb5.conf).
>     >>
>     >> - The machine password must be set on the account in the DC.
>     >>
>     >> - The kvno of the keytab entries on the client must match with the
>     >> DC. Each time the password on the machine account is changed a new
>     >> kvno is set on the keytab, so it must be exported to the client
>     again.
>     >>
>     >> Hopefully this helps :-)
>     >>
>     > It might be a password problem, but sssd is involved and, from my
>     > perspective, if you are using 'security = ADS', then you must run
>     > winbind and if winbind is running, then there is no point to be also
>     > running sssd, winbind & sssd do virtually the same thing and if sssd
>     > isn't setup correctly, then once a month it can stop winbind in its
>     > tracks.
>     >
>     > Rowland
>     >
>     In this case it is an error generated by the Kerberos library used by
>     the client (here sssd, I used apache back then). It tells us the
>     kerberos authentication is not working, not due to authentication
>     failure but due to authentication not possible.
>      From my experience the cause of this generic error is more likely
>     the
>     one-way trust or something with the service account / computer
>     account
>     (e.g. EncTypes mismatch, kvno mismatch) or /etc/krb5.conf than it
>     being
>     caused by sssd (although we can't rule it out).
>     In this particular case I would bet on the one-way trust, as that
>     could
>     cause the kerberos ticket no to work properly and that matches
>     with what
>     the error expresses.
>     - Kees.
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list