samba - Dec 2015 - NFSV4 Client setup problem

Hi,

I tried to bring up nfsv4 client setup, but when i joining AD server from
my LINUX machine i always get below error

"kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in
Kerberos database
Failed to join domain: failed to connect to AD: Server not found in
Kerberos database"

wbinfo -u command gives the user list
net ads info gives the details of the AD

when i tried to login from AD administrator user i am not able to login
using ssh.

i am using debian wheezy as client and windows 2003 Server as AD.

my samba conf
[global]
        security = ADS
        realm = INDIA.LOCAL
# If the system doesn't find the domain controller automatically, you may
need the following line
        password server = INDIA.LOCAL
# note that workgroup is the 'short' domain name
        workgroup = INDIA
#       winbind separator = +
        winbind refresh tickets = yes
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        name resolve order = lmhosts host


could anyone help regarding this?

Regards,
Vigneshdhanraj G

Few things, 

- check your resolv.conf, make sure your Samba AD the first nameservers 
- check if you resolv.conf search, has, search india.local 
- is the time in sync with the DC? 
- on debian, a login as "Administrator" (if mapped to root) wont work.
( or remove the mini
- in general, dont give Administrator a UID/GID 
- in general, dont use Administrator for ssh logins, but thats a choice, beter
is, create a new user, and give that one admin rights.

And have a look in to this script, works good on wheezy. 
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/setup-nfsv4-kerberos.sh

last. 
With above you can login without a password, but no tgt ticket is generated. 
for fix that, add "kinit -f -p" in the bashrc

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj
G
> Verzonden: dinsdag 1 december 2015 8:18
> Aan: samba-technical at lists.samba.org; samba at lists.samba.org
> Onderwerp: [Samba] NFSV4 Client setup problem
> 
> Hi,
> 
> I tried to bring up nfsv4 client setup, but when i joining AD server from
> my LINUX machine i always get below error
> 
> "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not
found in
> Kerberos database
> Failed to join domain: failed to connect to AD: Server not found in
> Kerberos database"
> 
> wbinfo -u command gives the user list
> net ads info gives the details of the AD
> 
> when i tried to login from AD administrator user i am not able to login
> using ssh.
> 
> i am using debian wheezy as client and windows 2003 Server as AD.
> 
> my samba conf
> [global]
>         security = ADS
>         realm = INDIA.LOCAL
> # If the system doesn't find the domain controller automatically, you
may
> need the following line
>         password server = INDIA.LOCAL
> # note that workgroup is the 'short' domain name
>         workgroup = INDIA
> #       winbind separator = +
>         winbind refresh tickets = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>         client use spnego = yes
>         client ntlmv2 auth = yes
>         encrypt passwords = yes
>         winbind use default domain = yes
>         restrict anonymous = 2
>         kerberos method = secrets and keytab
>         dedicated keytab file = /etc/krb5.keytab
>         name resolve order = lmhosts host
> 
> 
> could anyone help regarding this?
> 
> Regards,
> Vigneshdhanraj G
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 01/12/15 08:24, L.P.H. van Belle wrote:
> Few things,
>
> - check your resolv.conf, make sure your Samba AD the first nameservers
> - check if you resolv.conf search, has, search india.local
> - is the time in sync with the DC?
> - on debian, a login as "Administrator" (if mapped to root) wont
work. ( or remove the mini
> - in general, dont give Administrator a UID/GID
> - in general, dont use Administrator for ssh logins, but thats a choice,
beter is, create a new user, and give that one admin rights.
>
> And have a look in to this script, works good on wheezy.
>
https://secure.bazuin.nl/scripts/these_are_experimental_scripts/setup-nfsv4-kerberos.sh
>
> last.
> With above you can login without a password, but no tgt ticket is
generated.
> for fix that, add "kinit -f -p" in the bashrc
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
VigneshDhanraj G
>> Verzonden: dinsdag 1 december 2015 8:18
>> Aan: samba-technical at lists.samba.org; samba at lists.samba.org
>> Onderwerp: [Samba] NFSV4 Client setup problem
>>
>> Hi,
>>
>> I tried to bring up nfsv4 client setup, but when i joining AD server
from
>> my LINUX machine i always get below error
>>
>> "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not
found in
>> Kerberos database
>> Failed to join domain: failed to connect to AD: Server not found in
>> Kerberos database"
>>
>> wbinfo -u command gives the user list
>> net ads info gives the details of the AD
>>
>> when i tried to login from AD administrator user i am not able to login
>> using ssh.
>>
>> i am using debian wheezy as client and windows 2003 Server as AD.
>>
>> my samba conf
>> [global]
>>          security = ADS
>>          realm = INDIA.LOCAL
>> # If the system doesn't find the domain controller automatically,
you may
>> need the following line
>>          password server = INDIA.LOCAL
>> # note that workgroup is the 'short' domain name
>>          workgroup = INDIA
>> #       winbind separator = +
>>          winbind refresh tickets = yes
>>          winbind enum users = yes
>>          winbind enum groups = yes
>>          template homedir = /home/%D/%U
>>          template shell = /bin/bash
>>          client use spnego = yes
>>          client ntlmv2 auth = yes
>>          encrypt passwords = yes
>>          winbind use default domain = yes
>>          restrict anonymous = 2
>>          kerberos method = secrets and keytab
>>          dedicated keytab file = /etc/krb5.keytab
>>          name resolve order = lmhosts host
>>
>>
>> could anyone help regarding this?
>>
>> Regards,
>> Vigneshdhanraj G
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
Is Avahi running?
If so, this may be part of your problems and you have a couple of 
options, stop using .local (this is the best option) or turn off Avahi.

I would also suggest you go here: 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Follow this and set up your smb.conf correctly, you don't appear to have 
anywhere to store your users & groups.

Rowland