Kees van Vloten
2024-Jun-24 09:19 UTC
[Samba] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
On 24-06-2024 11:07, Omnis ludis - games via samba wrote:> thank you > > ??, 24 ???. 2024??. ? 12:07, Rowland Penny via samba <samba at lists.samba.org >> : >> On Mon, 24 Jun 2024 11:52:17 +0300 >> Omnis ludis - games via samba <samba at lists.samba.org> wrote: >> >>> Good afternoon, please tell me there is such an infrastructure windows >>> domain and samba domain between them, one-sided external outgoing >>> trust relationships are set up, so that users from the windows domain >>> can freely enter the samba domain, I entered the client into the >>> samba domain and all users from the samba domain can safely pass to >>> this client, but that's not the task of users they do not want to >>> authenticate from the windows domain in any way when I try to log in >>> to a client from the samba domain under them, I get the following >>> error in sssd on the client, GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (Server not found in Kerberos >>> database), do I understand correctly that this works like this, the >>> client accesses the samba domain controller, since there is no given >>> user in samba, the request is redirected to the windows domain >>> controller and that in turn must provide information about this to >>> users from its database kerberos? but for some reason this does not >>> happen, does anyone have at least some information on this error, I >>> have already tried many different scenarios and can not log in as a >>> user in any way, as if samba does not process information correctly, >>> while if you build a two-way trusting relationship, then everything >>> works as it shouldThis is a generic kerberos error, you can find numerous pages with suggestions on the net. I have seen errors like this one a few times (e.g. with gssapi from Apache), there are a lot of possible issues. Some I have come across: -? EncTypes must be set on the machine account in the DC (and there must be an overlap with the ones in the client's krb5.conf). - The machine password must be set on the account in the DC. - The kvno of the keytab entries on the client must match with the DC. Each time the password on the machine account is changed a new kvno is set on the keytab, so it must be exported to the client again. Hopefully this helps :-) - Kees.>> I suggest you should ask this question on the sssd-users mailing list. >> Samba does not produce sssd and hence, little is known about it. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Rowland Penny
2024-Jun-24 10:42 UTC
[Samba] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
On Mon, 24 Jun 2024 11:19:03 +0200 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > On 24-06-2024 11:07, Omnis ludis - games via samba wrote: > > thank you > > > > ??, 24 ???. 2024??. ? 12:07, Rowland Penny via samba > > <samba at lists.samba.org > >> : > >> On Mon, 24 Jun 2024 11:52:17 +0300 > >> Omnis ludis - games via samba <samba at lists.samba.org> wrote: > >> > >>> Good afternoon, please tell me there is such an infrastructure > >>> windows domain and samba domain between them, one-sided external > >>> outgoing trust relationships are set up, so that users from the > >>> windows domain can freely enter the samba domain, I entered the > >>> client into the samba domain and all users from the samba domain > >>> can safely pass to this client, but that's not the task of users > >>> they do not want to authenticate from the windows domain in any > >>> way when I try to log in to a client from the samba domain under > >>> them, I get the following error in sssd on the client, GSSAPI > >>> Error: Unspecified GSS failure. Minor code may provide more > >>> information (Server not found in Kerberos database), do I > >>> understand correctly that this works like this, the client > >>> accesses the samba domain controller, since there is no given > >>> user in samba, the request is redirected to the windows domain > >>> controller and that in turn must provide information about this > >>> to users from its database kerberos? but for some reason this > >>> does not happen, does anyone have at least some information on > >>> this error, I have already tried many different scenarios and can > >>> not log in as a user in any way, as if samba does not process > >>> information correctly, while if you build a two-way trusting > >>> relationship, then everything works as it should > This is a generic kerberos error, you can find numerous pages with > suggestions on the net. > > I have seen errors like this one a few times (e.g. with gssapi from > Apache), there are a lot of possible issues. Some I have come across: > > -? EncTypes must be set on the machine account in the DC (and there > must be an overlap with the ones in the client's krb5.conf). > > - The machine password must be set on the account in the DC. > > - The kvno of the keytab entries on the client must match with the > DC. Each time the password on the machine account is changed a new > kvno is set on the keytab, so it must be exported to the client again. > > Hopefully this helps :-) >It might be a password problem, but sssd is involved and, from my perspective, if you are using 'security = ADS', then you must run winbind and if winbind is running, then there is no point to be also running sssd, winbind & sssd do virtually the same thing and if sssd isn't setup correctly, then once a month it can stop winbind in its tracks. Rowland