Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
- Date: Mon, 31 Jul 2017 14:25:34 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
You have 3 places to look where you keytab can be found.
When kerberos method is set to "dedicated keytab" see the parameter.
dedicated keytab file = /where/your/krb5.keytab is configured.
The system default keytab ( on my debian system ) /etc/krb5.keytab
Yours might be in : /etc/krb5/krb5.keytab
The samba keytab if "dedicated keytab file" is not used.
( on my debian system )
And check them all
klist -ke /var/lib/samba/private/secret.keytab
klist -ke /etc/krb5/krb5.keytab
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> mathias dufresne via samba
> Verzonden: maandag 31 juli 2017 10:59
> Aan: Greg Dickie
> CC: samba
> Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
> 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba
> > Hi,
> > We recently updated our AD servers to 4.6.6 and one of the things
> > that stopped working was our zfs server running illumos. The idmap
> > daemon is trying to bind to ldap using sasl/GSSAPI and is
> failing with
> > additional info: SASL(-1): generic failure: GSSAPI Error:
> > GSS failure. Minor code may provide more information (Client not
> > found in Kerberos database)
> > I think this is usually caused by DNS inconsistencies but everthing
> > looks fine and it was working before the upgrade.
> > klist shows tickets
> I don't think this is relevant: for what I feel to have
> understood Samba generates its own tickets somewhere but not
> in /tmp, not available with klist.
(Client not found in Kerberos database)
> > and doing and ldapsearch on the command line using GSSAPI seems to
> > work fine.
> That's a good point... until you are using same account and
> keytab as Samba.
> > Has anyone encountered this? Any idea how to debug?
> But machine accounts have a password and this password is
> supposed to change in MS AD. I'm not sure it is changing with
> Samba AD but it could as Samba means to reproduce MS AD behavior.
> No idea about illumos but the klist you mentioned as the
> ldapsearch using the ticket of that klist have to be tested
> using the very same account used by illumos and the same
> keytab if any.
> You could check that account to see it was modified since the
> update you mentioned (pwdLastSet, whenChanged).
> No idea if this could help, just a try...
> > Thanks,
> > Greg
> > --
> > Greg Dickie
> > just a guy
> > 514-983-5400
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the