Markert, Martin
2015-Apr-02 10:38 UTC
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
Hi, I've successfully joined a CentOS server to our AD domain: AD: Windows Server 2008 RC2 with Windows Services for UNIX AD member: CentOS 6.6, sernet-samba-4.1.14-9, authentication via Kerberos and Winbind>From time to time the following entries show up in the messages file:Apr 2 11:54:15 barbarella nss_wins[4254]: [2015/04/02 11:54:15.339983, 0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind) Apr 2 11:54:15 barbarella nss_wins[4254]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm Apr 2 11:54:15 barbarella nss_wins[4256]: [2015/04/02 11:54:15.546227, 0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind) Apr 2 11:54:15 barbarella nss_wins[4256]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm Apr 2 11:54:17 barbarella nss_wins[3564]: [2015/04/02 11:54:17.118128, 0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind) Apr 2 11:54:17 barbarella nss_wins[3564]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm Apr 2 11:54:17 barbarella nss_wins[3588]: [2015/04/02 11:54:17.120904, 0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind) Apr 2 11:54:17 barbarella nss_wins[3588]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm Apr 2 11:54:17 barbarella nss_wins[3587]: [2015/04/02 11:54:17.271232, 0] ../source3/libads/sasl.c:1002(ads_sasl_spnego_bind) Apr 2 11:54:17 barbarella nss_wins[3587]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm I don't know what is wrong and where the issue is? The error message shows up while executing "id user", e.g. It takes 3-5 seconds and then the result appears. Regards, Martin ###/etc/krb5.conf### [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ARRI.DE dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] ARRI.DE = { kdc = admuc1.arri.de:88 kdc = admuc2.arri.de:88 default_domain = arri.de } [domain_realm] .arri.de = ARRI.DE arri.de = ARRI.DE [appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 24h forwardable = true proxiable = false retain_after_close = false krb4_convert = false } --- ###/etc/nsswitch.conf### passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus --- ###/etc/pam.d/system-auth### auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account sufficient pam_winbind.so use_first_pass account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 typepassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_first_pass password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_winbind.so use_first_pass --- ###/etc/resolv.conf### nameserver 192.168.100.100 nameserver 192.168.100.101 domain arri.de search arri.de --- ###/etc/hosts### 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.82 barbarella barbarella.arri.de 192.168.100.100 admuc1 admuc1.arri.de 192.168.100.101 admuc2 admuc2.arri.de Martin Markert Systems Integrator Tuerkenstr. 89, 80799 M?nchen / Germany Phone +49 89 3809-1848 EMail MMarkert at arri.de Visit us on Facebook!________________________________ [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts> ARRI Film & TV Services GmbH Sitz: M?nchen - Registergericht: Amtsgericht M?nchen Handelsregisternummer: HRB 69396 Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger
Possibly Parallel Threads
- Active Directory group membership changes not reflected in winbind information
- Samba 4.2.7 - winbind very high cpu load
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
- Active Directory group membership changes not reflected in winbind information
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
Wisdom of the Ancients
