Ygor Thomaz
2016-Jul-13 17:35 UTC
[Samba] CentOS 6.8 + Samba4 + Kerberos: No credentials cache found
Hi everyone,
I am trying to release a server using CentOS 6.8 + Samba4 (Winbind - LDAP
+ Kerberos) + NSS.
I was able to join the domain, but I still getting this warning/error
message:
[root at snfs2 ~]# net ads join -U myuser
Enter myuser's password:
***gss_init_sec_context failed with [Unspecified GSS failure. Minor code
may provide more information: No credentials cache found]***
Using short domain name -- MYDOMAIN
Joined 'SNFS2' to dns domain 'MYDOMAIN.com'
Kerberos delivers the ticket normally:
[root at snfs2 ~]# kinit myuser
Password for myuser at DPPTORONTO.COM:
[root at snfs2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: myuser at MYDOMAIN.COM
Valid starting Expires Service principal
07/13/16 12:44:49 07/13/16 22:44:51 krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
renew until 07/13/16 22:44:49
Below, you can find my configuration content:
[root at snfs2 ~]# cat /etc/samba/smb.conf
#####################
## GLOBAL SETTINGS ##
#####################
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
security = ads
server string = snfs2.MYDOMAIN.com
server max protocol = SMB3
encrypt passwords = true
unix extensions = false
client use spnego = true
## winbind
winbind use default domain = true
winbind offline logon = false
winbind cache time = 300
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind refresh tickets = true
winbind nss info = rfc2307
winbind rpc only = false
idmap config * : range = 16777216-33554431
## idmap config MYDOMAIN ##
idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 1000-999999
idmap config MYDOMAIN : readonly = true
## logging
log file = /var/log/samba/log.%m
max log size = 2000
log level = 2
syslog only = true
## printers
load printers = no
printcap = /dev/null
disable spoolss = yes
[root at snfs2 ~]# net ads testjoin
gss_init_sec_context failed with [Unspecified GSS failure. Minor code may
provide more information: No credentials cache found]
Join is OK
[root at snfs2 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# Note: Heimdal 1.3.1 deprecated DES encryption which is required for A`D
authentication before Windows Server 2008.
allow_weak_crypto = true
[realms]
MYDOMAIN.COM = {
kdc = MYDOMAIN1.MYDOMAIN.com:88
kdc = MYDOMAIN2.MYDOMAIN.com:88
admin_server = MYDOMAIN1.MYDOMAIN.com:749
}
[domain_realm]
MYDOMAIN.com = MYDOMAIN.COM
.MYDOMAIN.com = MYDOMAIN.COM
nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
Btw, I can access my samba share perfectly from my clients. I have exactly
the same configuration running normally at CentOS 7.2. No GSS msgs!
Does anyone have any idea what is causing this message?
Thank you!
--
Ygor Thomaz
Website: http://www.ygorthomaz.net/
"Be the change that you wish to see in the world." ― Mahatma Gandhi
Rowland penny
2016-Jul-13 18:22 UTC
[Samba] CentOS 6.8 + Samba4 + Kerberos: No credentials cache found
On 13/07/16 18:35, Ygor Thomaz wrote:> Hi everyone, > > I am trying to release a server using CentOS 6.8 + Samba4 (Winbind - LDAP > + Kerberos) + NSS. > > I was able to join the domain, but I still getting this warning/error > message: > > [root at snfs2 ~]# net ads join -U myuser > Enter myuser's password: > ***gss_init_sec_context failed with [Unspecified GSS failure. Minor code > may provide more information: No credentials cache found]*** > Using short domain name -- MYDOMAIN > Joined 'SNFS2' to dns domain 'MYDOMAIN.com'did you run 'kinit myuser' before trying to join to the domain?> Kerberos delivers the ticket normally: > > [root at snfs2 ~]# kinit myuser > Password for myuser at DPPTORONTO.COM: > [root at snfs2 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: myuser at MYDOMAIN.COM > > Valid starting Expires Service principal > 07/13/16 12:44:49 07/13/16 22:44:51 krbtgt/MYDOMAIN.COM at MYDOMAIN.COM > renew until 07/13/16 22:44:49 > > Below, you can find my configuration content: > > [root at snfs2 ~]# cat /etc/samba/smb.conf > > ##################### > ## GLOBAL SETTINGS ## > ##################### > [global] > workgroup = MYDOMAIN > realm = MYDOMAIN.COM > security = ads > server string = snfs2.MYDOMAIN.com > server max protocol = SMB3 > encrypt passwords = true > unix extensions = false > client use spnego = true > > ## winbind > winbind use default domain = true > winbind offline logon = false > winbind cache time = 300 > winbind nested groups = true > winbind enum users = true > winbind enum groups = true > winbind refresh tickets = true > winbind nss info = rfc2307 > winbind rpc only = false > > idmap config * : range = 16777216-33554431 > ## idmap config MYDOMAIN ## > idmap config MYDOMAIN : backend = nss > idmap config MYDOMAIN : schema_mode = rfc2307 > idmap config MYDOMAIN : range = 1000-999999 > idmap config MYDOMAIN : readonly = trueI not sure if you can use the 'nss' backend with AD and 'security = ads' says you are using AD. if you read the idmap_nss manpage, you will find this: The idmap_nss plugin provides a means to map Unix users and groups to Windows accounts and obsoletes the "winbind trusted domains only" smb.conf option. This provides a simple means of ensuring that the SID for a Unix user named jsmith is reported as the one assigned to DOMAIN\jsmith which is necessary for reporting ACLs on files and printers stored on a Samba member server. You cannot have a Unix user called 'jsmith' and a user called 'jsmith' in AD, you can have one or the other, but not both. You can however have a user called 'jsmith' in AD with the necessary rfc2307 attributes that will also make the user a Unix user. I suggest you see here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Rowland