samba - Jun 2024 - GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

thank you

??, 24 ???. 2024??. ? 12:07, Rowland Penny via samba <samba at
lists.samba.org
>:
> On Mon, 24 Jun 2024 11:52:17 +0300
> Omnis ludis - games via samba <samba at lists.samba.org> wrote:
>
> > Good afternoon, please tell me there is such an infrastructure windows
> > domain and samba domain between them, one-sided external outgoing
> > trust relationships are set up, so that users from the windows domain
> > can freely enter the samba domain, I entered the client into the
> > samba domain and all users from the samba domain can safely pass to
> > this client, but that's not the task of users they do not want to
> > authenticate from the windows domain in any way when I try to log in
> > to a client from the samba domain under them, I get the following
> > error in sssd on the client, GSSAPI Error: Unspecified GSS failure.
> > Minor code may provide more information (Server not found in Kerberos
> > database), do I understand correctly that this works like this, the
> > client accesses the samba domain controller, since there is no given
> > user in samba, the request is redirected to the windows domain
> > controller and that in turn must provide information about this to
> > users from its database kerberos? but for some reason this does not
> > happen, does anyone have at least some information on this error, I
> > have already tried many different scenarios and can not log in as a
> > user in any way, as if samba does not process information correctly,
> > while if you build a two-way trusting relationship, then everything
> > works as it should
>
> I suggest you should ask this question on the sssd-users mailing list.
> Samba does not produce sssd and hence, little is known about it.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 24-06-2024 11:07, Omnis ludis - games via samba
wrote:
> thank you
>
> ??, 24 ???. 2024??. ? 12:07, Rowland Penny via samba <samba at
lists.samba.org
>> :
>> On Mon, 24 Jun 2024 11:52:17 +0300
>> Omnis ludis - games via samba <samba at lists.samba.org> wrote:
>>
>>> Good afternoon, please tell me there is such an infrastructure
windows
>>> domain and samba domain between them, one-sided external outgoing
>>> trust relationships are set up, so that users from the windows
domain
>>> can freely enter the samba domain, I entered the client into the
>>> samba domain and all users from the samba domain can safely pass to
>>> this client, but that's not the task of users they do not want
to
>>> authenticate from the windows domain in any way when I try to log
in
>>> to a client from the samba domain under them, I get the following
>>> error in sssd on the client, GSSAPI Error: Unspecified GSS failure.
>>> Minor code may provide more information (Server not found in
Kerberos
>>> database), do I understand correctly that this works like this, the
>>> client accesses the samba domain controller, since there is no
given
>>> user in samba, the request is redirected to the windows domain
>>> controller and that in turn must provide information about this to
>>> users from its database kerberos? but for some reason this does not
>>> happen, does anyone have at least some information on this error, I
>>> have already tried many different scenarios and can not log in as a
>>> user in any way, as if samba does not process information
correctly,
>>> while if you build a two-way trusting relationship, then everything
>>> works as it should
This is a generic kerberos error, you can find numerous pages with 
suggestions on the net.

I have seen errors like this one a few times (e.g. with gssapi from 
Apache), there are a lot of possible issues. Some I have come across:

-? EncTypes must be set on the machine account in the DC (and there must 
be an overlap with the ones in the client's krb5.conf).

- The machine password must be set on the account in the DC.

- The kvno of the keytab entries on the client must match with the DC. 
Each time the password on the machine account is changed a new kvno is 
set on the keytab, so it must be exported to the client again.

Hopefully this helps :-)

- Kees.
>> I suggest you should ask this question on the sssd-users mailing list.
>> Samba does not produce sssd and hence, little is known about it.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>