Pat Suwalski
2014-Jan-14 15:25 UTC
[Samba] Kerberos GSSAPI: Server not found in Kerberos database
Hello, I have now spent 30 hours trying to get this working, so it's time to get some professinoal help. :) In a nutshell, I would like to have a sambda AD PDC that authenticates both Windows and Debian. On Linux, I would like to use SSSD. I have followed the steps on the wiki: - https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO - https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd Those worked great! The first allowed me to use the domain immediately with Windows. The second allowed me to use SSSD to authenticate on the Debian/Samba server, no problem. However, for the life of me, I cannot make any non-localhost Debian SSSD connect to Samba. I always get the wonderfully vague error: generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) I have followed many discussions on this list and others, and it's always things like NetBIOS names not matching, domains not matching, and so on. I don't seem to have any of those problems. I thought that maybe there was a problem with the keytab, so I used Samba to join the domain and then reused that keytab. The domains match. resolv.conf points at the Samba server. Logs suggest everything resolves, just that Kerberos is being unfriendly. I do have some questions that I can't seem to find the answer for anywhere else. 1) Is it necessary to join the domain for SSSD to authenticate? 2) Is there a need to have a computer record in Samba for the computer with SSSD? 3) Aside from joining the domain, is there anything else that has to happen to allow the host to access the AD? I used: net ads join -UAdministrator and got a success message. 4) After joining the domain, I have different spn information for the Windows host versus the Debian host: # samba-tool spn list adtest$ adtest$ User CN=adtest,CN=Computers,DC=foobar,DC=ca has the following servicePrincipalName: HOST/ADTEST HOST/adtest.foobar.ca # samba-tool spn list windows81-vm$ windows81-vm$ User CN=WINDOWS81-VM,CN=Computers,DC=foobar,DC=ca has the following servicePrincipalName: HOST/Windows81-VM.foobar.ca RestrictedKrbHost/Windows81-VM.foobar.ca HOST/WINDOWS81-VM RestrictedKrbHost/WINDOWS81-VM TERMSRV/Windows81-VM.foobar.ca TERMSRV/WINDOWS81-VM Could it be that I somehow need to give permissions to my "adtest" Debian host to be able to connect via Kerberos? 5) Is it actually necessary to kinit as suggested elsewhere? It just seems to create the keytab cache in /tmp. Any help would be greatly appreciated. I didn't want to overload this message with logs and such. Many thanks, --Pat
L.P.H. van Belle
2014-Jan-14 15:52 UTC
[Samba] Kerberos GSSAPI: Server not found in Kerberos database
Hai, are there any IPV6 ipadresses in /etc/hosts ( if so remove them and try again ) Or you try to remove and/or disable IPV6 totaly. If ldapsearch uses IPv6, then things don't work This is known bug. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: pat at suwalski.net [mailto:samba-bounces at lists.samba.org] >Namens Pat Suwalski >Verzonden: dinsdag 14 januari 2014 16:26 >Aan: samba at lists.samba.org >Onderwerp: [Samba] Kerberos GSSAPI: Server not found in >Kerberos database > >Hello, > >I have now spent 30 hours trying to get this working, so it's time to >get some professinoal help. :) > >In a nutshell, I would like to have a sambda AD PDC that authenticates >both Windows and Debian. On Linux, I would like to use SSSD. > >I have followed the steps on the wiki: >- https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO >- >https://wiki.samba.org/index.php/Local_user_management_and_auth >entication/sssd > >Those worked great! The first allowed me to use the domain immediately >with Windows. The second allowed me to use SSSD to authenticate on the >Debian/Samba server, no problem. > >However, for the life of me, I cannot make any non-localhost >Debian SSSD >connect to Samba. I always get the wonderfully vague error: > >generic failure: GSSAPI Error: Unspecified GSS failure. Minor >code may >provide more information (Server not found in Kerberos database) > >I have followed many discussions on this list and others, and it's >always things like NetBIOS names not matching, domains not >matching, and >so on. I don't seem to have any of those problems. I thought >that maybe >there was a problem with the keytab, so I used Samba to join >the domain >and then reused that keytab. The domains match. resolv.conf points at >the Samba server. Logs suggest everything resolves, just that Kerberos >is being unfriendly. > >I do have some questions that I can't seem to find the answer for >anywhere else. > >1) Is it necessary to join the domain for SSSD to authenticate? > >2) Is there a need to have a computer record in Samba for the computer >with SSSD? > >3) Aside from joining the domain, is there anything else that has to >happen to allow the host to access the AD? I used: > > net ads join -UAdministrator > >and got a success message. > >4) After joining the domain, I have different spn information for the >Windows host versus the Debian host: > ># samba-tool spn list adtest$ >adtest$ >User CN=adtest,CN=Computers,DC=foobar,DC=ca has the following >servicePrincipalName: > HOST/ADTEST > HOST/adtest.foobar.ca > ># samba-tool spn list windows81-vm$ >windows81-vm$ >User CN=WINDOWS81-VM,CN=Computers,DC=foobar,DC=ca has the following >servicePrincipalName: > HOST/Windows81-VM.foobar.ca > RestrictedKrbHost/Windows81-VM.foobar.ca > HOST/WINDOWS81-VM > RestrictedKrbHost/WINDOWS81-VM > TERMSRV/Windows81-VM.foobar.ca > TERMSRV/WINDOWS81-VM > >Could it be that I somehow need to give permissions to my "adtest" >Debian host to be able to connect via Kerberos? > >5) Is it actually necessary to kinit as suggested elsewhere? It just >seems to create the keytab cache in /tmp. > >Any help would be greatly appreciated. I didn't want to overload this >message with logs and such. > >Many thanks, >--Pat >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Pat Suwalski
2014-Jan-14 16:18 UTC
[Samba] Kerberos GSSAPI: Server not found in Kerberos database
On 14-01-14 10:25 AM, Pat Suwalski wrote:> However, for the life of me, I cannot make any non-localhost Debian SSSD > connect to Samba. I always get the wonderfully vague error: > > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (Server not found in Kerberos database)Murphy is alive and well over here. Naturally, within 5 minutes of sending the eMail, I found the solution to the problem. Never mind the 30 hours before that. :) Reverse DNS. The Samba server used to be called "apple". The firewall/DNS server had this DNS record, as well as the new name "ad". This was so that both could be resolved. Pinging "ad" from any host, including the Samba server, worked correctly. Samba's DNS had a proper entry, with no knowledge of "apple". However, doing a reverse-DNS lookup from my "adtest" host was still returning "apple". Samba had not created reverse-DNS entries for any host in its forward-lookup zone, and they were being passed-through from the firewall. I am surprised this affects Kerberos, but there you have it. I'd still love answers to my questions in the original eMail, especially regarding necessity of joining the domain, adding the host to the SPN, and so on. Many thanks, --Pat