Web lists-archives.com

Re: [Samba] openindiana GSSAPI failure to samba 4.6.6




2017-07-28 15:20 GMT+02:00 Greg Dickie via samba <samba@xxxxxxxxxxxxxxx>:

> Hi,
>
>  We recently updated our AD servers to 4.6.6 and one of the things that
> stopped working was our zfs server running illumos. The idmap daemon is
> trying to bind to ldap using sasl/GSSAPI and is failing with
>
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Client not found in
> Kerberos database)
>
> I think this is usually caused by DNS inconsistencies but everthing looks
> fine and it was working before the upgrade.
>
> klist shows tickets
>

I don't think this is relevant: for what I feel to have understood Samba
generates its own tickets somewhere but not in /tmp, not available with
klist.


> and doing and ldapsearch on the command line using GSSAPI seems to work
> fine.
>

That's a good point... until you are using same account and keytab as Samba.


>
> Has anyone encountered this? Any idea how to debug?
>

No.
But machine accounts have a password and this password is supposed to
change in MS AD. I'm not sure it is changing with Samba AD but it could as
Samba means to reproduce MS AD behavior.

No idea about illumos but the klist you mentioned as the ldapsearch using
the ticket of that klist have to be tested using the very same account used
by illumos and the same keytab if any.

You could check that account to see it was modified since the update you
mentioned (pwdLastSet, whenChanged).

No idea if this could help, just a try...


>
> Thanks,
> Greg
>
> --
>
>
> Greg Dickie
> just a guy
> 514-983-5400
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba