[Samba] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
Kees van Vloten
keesvanvloten at gmail.com
Mon Jun 24 12:01:21 UTC 2024
On 24-06-2024 13:21, Omnis ludis - games wrote:
> butthe encryptionthatis onsambathatis onthe clientis the sameandthe
> keytabisonlyonthe clientandhowto understandif the kvnois
> specifiedcorrectlyinit, you needto checkhowthekvnoof the accountinthe
> sambadatabase?
Get keytab on the client:
sudo net ads keytab list # if you are using winbind or at least have
'net' installed
or
sudo klist -kte /etc/krb5.keytab # assuming this is where the keytab
file is
Export a one principal keytab from samba.
Run on the DC with sufficient permissions:
samba-tool domain exportkeytab -d 8 <temp-export-file>
--principal=<one-principal-from-above-keytab>
ktlist -kte <temp-export-file>
# Compare kvno, local keytab must have at least the kvno that samba DC has
# Also check encryption types between the two files and check them with
settings in /etc/krb5.conf:
# e.g. permitted_enctypes =
rm <temp-export-file
If there is a mismatch in kvno: use 'net ads keyab add' to update
/etc/krb5.keytab or the sssd equivalent for that. Run it for each
principal in the keytab.
Also check that a password on the service / machine account is set.
Without it ever set Kerberos authentication is not possible. For
accounts created or updated by a domain-join this is not an issue as it
will be set by the join.
You can also get a clue from the auth-audit logging on the DC. Ensure
you a line similar to this on the DC in /etc/samba/smb.conf
[global]
log level = 3 auth_json_audit:3@/var/log/samba/audit_auth.log
Restart the DC service after modifying /etc/samba/smb.conf. Auth-audit
logging on the server is more explicit than client-side logging in most
cases.
- Kees.
>
> пн, 24 июн. 2024 г. в 14:13, Kees van Vloten via samba
> <samba at lists.samba.org>:
>
>
> On 24-06-2024 12:42, Rowland Penny via samba wrote:
> > On Mon, 24 Jun 2024 11:19:03 +0200
> > Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >
> >> On 24-06-2024 11:07, Omnis ludis - games via samba wrote:
> >>> thank you
> >>>
> >>> пн, 24 июн. 2024 г. в 12:07, Rowland Penny via samba
> >>> <samba at lists.samba.org
> >>>> :
> >>>> On Mon, 24 Jun 2024 11:52:17 +0300
> >>>> Omnis ludis - games via samba <samba at lists.samba.org> wrote:
> >>>>
> >>>>> Good afternoon, please tell me there is such an infrastructure
> >>>>> windows domain and samba domain between them, one-sided external
> >>>>> outgoing trust relationships are set up, so that users from the
> >>>>> windows domain can freely enter the samba domain, I entered the
> >>>>> client into the samba domain and all users from the samba domain
> >>>>> can safely pass to this client, but that's not the task of users
> >>>>> they do not want to authenticate from the windows domain in any
> >>>>> way when I try to log in to a client from the samba domain under
> >>>>> them, I get the following error in sssd on the client, GSSAPI
> >>>>> Error: Unspecified GSS failure. Minor code may provide more
> >>>>> information (Server not found in Kerberos database), do I
> >>>>> understand correctly that this works like this, the client
> >>>>> accesses the samba domain controller, since there is no given
> >>>>> user in samba, the request is redirected to the windows domain
> >>>>> controller and that in turn must provide information about this
> >>>>> to users from its database kerberos? but for some reason this
> >>>>> does not happen, does anyone have at least some information on
> >>>>> this error, I have already tried many different scenarios
> and can
> >>>>> not log in as a user in any way, as if samba does not process
> >>>>> information correctly, while if you build a two-way trusting
> >>>>> relationship, then everything works as it should
> >> This is a generic kerberos error, you can find numerous pages with
> >> suggestions on the net.
> >>
> >> I have seen errors like this one a few times (e.g. with gssapi from
> >> Apache), there are a lot of possible issues. Some I have come
> across:
> >>
> >> - EncTypes must be set on the machine account in the DC (and there
> >> must be an overlap with the ones in the client's krb5.conf).
> >>
> >> - The machine password must be set on the account in the DC.
> >>
> >> - The kvno of the keytab entries on the client must match with the
> >> DC. Each time the password on the machine account is changed a new
> >> kvno is set on the keytab, so it must be exported to the client
> again.
> >>
> >> Hopefully this helps :-)
> >>
> > It might be a password problem, but sssd is involved and, from my
> > perspective, if you are using 'security = ADS', then you must run
> > winbind and if winbind is running, then there is no point to be also
> > running sssd, winbind & sssd do virtually the same thing and if sssd
> > isn't setup correctly, then once a month it can stop winbind in its
> > tracks.
> >
> > Rowland
> >
> In this case it is an error generated by the Kerberos library used by
> the client (here sssd, I used apache back then). It tells us the
> kerberos authentication is not working, not due to authentication
> failure but due to authentication not possible.
>
> From my experience the cause of this generic error is more likely
> the
> one-way trust or something with the service account / computer
> account
> (e.g. EncTypes mismatch, kvno mismatch) or /etc/krb5.conf than it
> being
> caused by sssd (although we can't rule it out).
>
> In this particular case I would bet on the one-way trust, as that
> could
> cause the kerberos ticket no to work properly and that matches
> with what
> the error expresses.
>
> - Kees.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list