Hi, I tried to bring up nfsv4 client setup, but when i joining AD server from my LINUX machine i always get below error "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database Failed to join domain: failed to connect to AD: Server not found in Kerberos database" wbinfo -u command gives the user list net ads info gives the details of the AD when i tried to login from AD administrator user i am not able to login using ssh. i am using debian wheezy as client and windows 2003 Server as AD. my samba conf [global] security = ADS realm = INDIA.LOCAL # If the system doesn't find the domain controller automatically, you may need the following line password server = INDIA.LOCAL # note that workgroup is the 'short' domain name workgroup = INDIA # winbind separator = + winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab name resolve order = lmhosts host could anyone help regarding this? Regards, Vigneshdhanraj G
Few things, - check your resolv.conf, make sure your Samba AD the first nameservers - check if you resolv.conf search, has, search india.local - is the time in sync with the DC? - on debian, a login as "Administrator" (if mapped to root) wont work. ( or remove the mini - in general, dont give Administrator a UID/GID - in general, dont use Administrator for ssh logins, but thats a choice, beter is, create a new user, and give that one admin rights. And have a look in to this script, works good on wheezy. https://secure.bazuin.nl/scripts/these_are_experimental_scripts/setup-nfsv4-kerberos.sh last. With above you can login without a password, but no tgt ticket is generated. for fix that, add "kinit -f -p" in the bashrc Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj G > Verzonden: dinsdag 1 december 2015 8:18 > Aan: samba-technical at lists.samba.org; samba at lists.samba.org > Onderwerp: [Samba] NFSV4 Client setup problem > > Hi, > > I tried to bring up nfsv4 client setup, but when i joining AD server from > my LINUX machine i always get below error > > "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in > Kerberos database > Failed to join domain: failed to connect to AD: Server not found in > Kerberos database" > > wbinfo -u command gives the user list > net ads info gives the details of the AD > > when i tried to login from AD administrator user i am not able to login > using ssh. > > i am using debian wheezy as client and windows 2003 Server as AD. > > my samba conf > [global] > security = ADS > realm = INDIA.LOCAL > # If the system doesn't find the domain controller automatically, you may > need the following line > password server = INDIA.LOCAL > # note that workgroup is the 'short' domain name > workgroup = INDIA > # winbind separator = + > winbind refresh tickets = yes > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > name resolve order = lmhosts host > > > could anyone help regarding this? > > Regards, > Vigneshdhanraj G > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 01/12/15 08:24, L.P.H. van Belle wrote:> Few things, > > - check your resolv.conf, make sure your Samba AD the first nameservers > - check if you resolv.conf search, has, search india.local > - is the time in sync with the DC? > - on debian, a login as "Administrator" (if mapped to root) wont work. ( or remove the mini > - in general, dont give Administrator a UID/GID > - in general, dont use Administrator for ssh logins, but thats a choice, beter is, create a new user, and give that one admin rights. > > And have a look in to this script, works good on wheezy. > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/setup-nfsv4-kerberos.sh > > last. > With above you can login without a password, but no tgt ticket is generated. > for fix that, add "kinit -f -p" in the bashrc > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj G >> Verzonden: dinsdag 1 december 2015 8:18 >> Aan: samba-technical at lists.samba.org; samba at lists.samba.org >> Onderwerp: [Samba] NFSV4 Client setup problem >> >> Hi, >> >> I tried to bring up nfsv4 client setup, but when i joining AD server from >> my LINUX machine i always get below error >> >> "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in >> Kerberos database >> Failed to join domain: failed to connect to AD: Server not found in >> Kerberos database" >> >> wbinfo -u command gives the user list >> net ads info gives the details of the AD >> >> when i tried to login from AD administrator user i am not able to login >> using ssh. >> >> i am using debian wheezy as client and windows 2003 Server as AD. >> >> my samba conf >> [global] >> security = ADS >> realm = INDIA.LOCAL >> # If the system doesn't find the domain controller automatically, you may >> need the following line >> password server = INDIA.LOCAL >> # note that workgroup is the 'short' domain name >> workgroup = INDIA >> # winbind separator = + >> winbind refresh tickets = yes >> winbind enum users = yes >> winbind enum groups = yes >> template homedir = /home/%D/%U >> template shell = /bin/bash >> client use spnego = yes >> client ntlmv2 auth = yes >> encrypt passwords = yes >> winbind use default domain = yes >> restrict anonymous = 2 >> kerberos method = secrets and keytab >> dedicated keytab file = /etc/krb5.keytab >> name resolve order = lmhosts host >> >> >> could anyone help regarding this? >> >> Regards, >> Vigneshdhanraj G >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >Is Avahi running? If so, this may be part of your problems and you have a couple of options, stop using .local (this is the best option) or turn off Avahi. I would also suggest you go here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Follow this and set up your smb.conf correctly, you don't appear to have anywhere to store your users & groups. Rowland