samba - Aug 2015 - kinit succeeded but ads_sasl_spnego_krb5_bind failed: The context has expired : Success

Samba4 as AD controller. Same samba as domain members. Winbind.
Periodically (once in few days) after subject message in winbind logs 
its stop working and only restart of winbindd helps.
Error message:
[2015/08/10 13:31:14.410866,  0] 
../source3/libads/sasl.c:1025(ads_sasl_spnego_bind)
   kinit succeeded but ads_sasl_spnego_krb5_bind failed:  The context 
has expired : Success

smb.conf
[global]
   netbios name = PC1
   workgroup = FOREST
   security = ADS
   realm = FOREST.INT.DOMAIN.COM
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   idmap config * : range = 300-499
   idmap config * : backend = tdb
   idmap config * : script = /etc/samba/idmap.sh
   idmap config FOREST : backend = ad
   idmap config FOREST : range = 500 - 99999
   idmap config FOREST : schema_mode = rfc2307
   idmap cache time = 5
   idmap negative cache time = 5

   winbind trusted domains only = No
   winbind use default domain = Yes
   winbind nss info = rfc2307
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind refresh tickets = Yes
   winbind cache time = 5

krb.conf
[libdefaults]
default_realm = FOREST.INT.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d

Hai, 

i compaired your config with my own..
Looks the same and correct to me. 

try it without these 2 in krb5.conf: 
>ticket_lifetime = 24h
>renew_lifetime = 7d 
and in smb.conf i dont have
>   idmap cache time = 5
>   idmap negative cache time = 5
>   winbind cache time = 5
so i suggest first remove the 2 lines in krb5.conf and test. 
then if needed the other 2. 

and your did make sure your time is always in sync? 


Greetz, 

louis

>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dmitry MiksIr
>Verzonden: woensdag 12 augustus 2015 13:17
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] kinit succeeded but 
>ads_sasl_spnego_krb5_bind failed: The context has expired : Success
>
>Samba4 as AD controller. Same samba as domain members. Winbind.
>Periodically (once in few days) after subject message in winbind logs 
>its stop working and only restart of winbindd helps.
>Error message:
>[2015/08/10 13:31:14.410866,  0] 
>../source3/libads/sasl.c:1025(ads_sasl_spnego_bind)
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed:  The context 
>has expired : Success
>
>smb.conf
>[global]
>   netbios name = PC1
>   workgroup = FOREST
>   security = ADS
>   realm = FOREST.INT.DOMAIN.COM
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>
>   idmap config * : range = 300-499
>   idmap config * : backend = tdb
>   idmap config * : script = /etc/samba/idmap.sh
>   idmap config FOREST : backend = ad
>   idmap config FOREST : range = 500 - 99999
>   idmap config FOREST : schema_mode = rfc2307
>   idmap cache time = 5
>   idmap negative cache time = 5
>
>   winbind trusted domains only = No
>   winbind use default domain = Yes
>   winbind nss info = rfc2307
>   winbind enum users = Yes
>   winbind enum groups = Yes
>   winbind refresh tickets = Yes
>   winbind cache time = 5
>
>krb.conf
>[libdefaults]
>default_realm = FOREST.INT.DOMAIN.COM
>dns_lookup_realm = false
>dns_lookup_kdc = true
>ticket_lifetime = 24h
>renew_lifetime = 7d
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 12/08/15 12:17, Dmitry MiksIr wrote:
> Samba4 as AD controller. Same samba as domain members. Winbind.
> Periodically (once in few days) after subject message in winbind logs 
> its stop working and only restart of winbindd helps.
> Error message:
> [2015/08/10 13:31:14.410866,  0] 
> ../source3/libads/sasl.c:1025(ads_sasl_spnego_bind)
>   kinit succeeded but ads_sasl_spnego_krb5_bind failed:  The context 
> has expired : Success
>
> smb.conf
> [global]
>   netbios name = PC1
>   workgroup = FOREST
>   security = ADS
>   realm = FOREST.INT.DOMAIN.COM
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>
>   idmap config * : range = 300-499
>   idmap config * : backend = tdb
>   idmap config * : script = /etc/samba/idmap.sh
>   idmap config FOREST : backend = ad
>   idmap config FOREST : range = 500 - 99999
>   idmap config FOREST : schema_mode = rfc2307
>   idmap cache time = 5
>   idmap negative cache time = 5
>
>   winbind trusted domains only = No
>   winbind use default domain = Yes
>   winbind nss info = rfc2307
>   winbind enum users = Yes
>   winbind enum groups = Yes
>   winbind refresh tickets = Yes
>   winbind cache time = 5
>
> krb.conf
> [libdefaults]
> default_realm = FOREST.INT.DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
>
Hi, I think your kerberos ticket is expiring, but don't really know why.

As Louis as said, you don't need these lines in krb5.conf:

ticket_lifetime = 24h
renew_lifetime = 7d

You also don't need these lines in smb.conf:

idmap cache time = 5
idmap negative cache time = 5
winbind cache time = 5

Is this a typo ?

idmap config * : backend = tdb

shouldn't it be:

idmap config * : backend = tdb2

as you are also using:

idmap config * : script = /etc/samba/idmap.sh

What OS are you using ?
What version of Samba and where is it from (distro packages, self 
compiled etc)

Rowland

12.08.2015 15:22, Rowland Penny пишет:
> On 12/08/15 12:17, Dmitry MiksIr wrote:
>
> Hi, I think your kerberos ticket is expiring, but don't really know
why.
>
> As Louis as said, you don't need these lines in krb5.conf:
>
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
Ok, i will try to remove. Lets see.
> You also don't need these lines in smb.conf:
>
> idmap cache time = 5
> idmap negative cache time = 5
> winbind cache time = 5
Well, It's because I don't want to wait long time after adding new users
or changing group membership (and it's happens very often). Performance 
is not very important for me. May be I'll increase this time little bit, 
but default 300(?) too much for me.
>
> Is this a typo ?
No. I tried to use tdb2 idmap script for map well-known SID to local 
groups (like S-1-5-11 to `users`, and S-1-5-32-544 to `wheel`). But it's 
not worked for few SID's and I switched back to tdb and added this map 
via `net groupmap`. Just forgot to remove `idmap config * : script`
>
> idmap config * : backend = tdb
>
> shouldn't it be:
>
> idmap config * : backend = tdb2
>
> as you are also using:
>
> idmap config * : script = /etc/samba/idmap.sh
>
> What OS are you using ?
> What version of Samba and where is it from (distro packages, self
> compiled etc)
Debian Jessie
Sernet Samba 4.2.3-7
>
> Rowland
>
>

12.08.2015 14:51, L.P.H. van Belle пишет:
> Hai,
>
>
> and your did make sure your time is always in sync?
>
>
Currently AD controller and all samba clients are LXC containers of one 
physical host :) So almost sure :)