Mark R Bannister
2011-Sep-20 10:12 UTC
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }Hi, I've seen many people complain about this error message by Googling around, but I've never found a satisfactory explanation as to the cause and resolution. I'm hoping someone on the list will be able to point me in the right direction? I'm attempting to get a RHEL 5.5 client configured to use winbind auth against Windows 2003 R2 AD (in fact my end game is to get all NIS maps served from AD, but one step at a time). I've been following these steps: http://wiki.samba.org/index.php/Samba_&_Active_Directory But when I come to issue the 'net ads join' command: # net ads join -U administrator administrator's password: [2011/09/20 10:57:00, 0] libads/sasl.c:ads_sasl_spnego_bind(330) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: Invalid credentials So having manually configured it, I decided maybe 'authconfig' could help. I have no graphics here, so tried a command-line approach: # authconfig --enablecache --enablewinbind --enablewinbindauth --smbsecurity ads --smbrealm FMTEST.NET --smbidmapuid=100-4294967294 --smbidmapgid=100-4294967294 --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=Administrator --update This made no difference (same error when trying to join). Apart from adding the 'winbind offline logon' option which I omitted from my manual approach, using the old idmap features instead of the new ones, and setting up PAM for winbind (which I hadn't got around to yet) there was no difference in config. Debug modes, RHEL logs, Windows event logs, network traces - I've looked at them all and can't find anything that points to the exact problem. Some pertinent info: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.5 (Tikanga) # rpm -qa | egrep 'samba|libsmb' libsmbclient-3.0.33-3.29.el5_5.1 samba-client-3.0.33-3.29.el5_5.1 samba-3.0.33-3.29.el5_5.1 samba-common-3.0.33-3.29.el5_5.1 # testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = FMTEST realm = FMTEST.NET server string = Linux Test Machine security = ADS passdb backend = tdbsam log file = /var/log/samba/%m.log preferred master = No idmap domains = ALLDOMAINS winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind offline logon = Yes idmap config ALLDOMAINS:default = yes idmap config ALLDOMAINS:backend = ad idmap config ALLDOMAINS:range = 100-4294967294 idmap config ALLDOMAINS:schema_mode = rfc2307 # cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FMTEST.NET dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] FMTEST.NET = { default_domain = fmtest.net } [domain_realm] .fmtest.net = FMTEST.NET fmtest.net = FMTEST.NET [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Can you advise? Thanks, Mark.
Seemingly Similar Threads
- kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success
- kinit succeeded but ads_sasl_spnego_krb5_bind failed
- kinit succeeded but ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type
- kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success
- kinit succeeded but ads_sasl_spnego_krb5_bind failed