search for: gss_init_sec_context

...8u3 and have winbind running and joined to a windows AD. When starting winbind everthing works, wbinfo -u, wbinfo -g returns all stuff correct. But after an hour or so this is being shown in the logs: [2016/06/14 19:15:02.239460, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ Miscellaneous failure (see text): Message stream modified] [2016/06/14 19:15:02.239604, 0] ../source3/libads/sasl.c:764(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. [2016/06/14 19:25:01.370737, 0] ../source3/librpc...

...winbindd_sig_term_handler)   Got sig[15] terminate (is_parent=0) [2016/10/18 15:35:41.931491,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)   Got sig[15] terminate (is_parent=0) [2016/10/19 01:39:57.249786,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)   gss_init_sec_context failed with [ The caontext has expired: Success] ( the last line was and restart of winbind.)   after ( 4.4.6 ) log.winbindd-idmap [2016/10/18 15:35:41.931491,  0] ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler)   Got sig[15] terminate (is_parent=0) [2016/10/19 01:39:57.249786,...

...e (is_parent=0) > > [2016/10/18 15:35:41.931491,  0] > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > >   Got sig[15] terminate (is_parent=0) > > [2016/10/19 01:39:57.249786,  0] > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > >   gss_init_sec_context failed with [ The caontext has expired: Success] > > ( the last line was and restart of winbind.) > > > > after ( 4.4.6 ) log.winbindd-idmap > > [2016/10/18 15:35:41.931491,  0] > ../source3/winbindd/winbindd.c:280(winbindd_sig_term_handler) > >   Got sig[15]...

...ack from the server before I send the GSSAPI_MIC message, the authentication succeeds. Looking at the OpenSSH source code, I see that it always unconditionally enables mutual authentication in the client contexts it allocates. In ssh_gssapi_init_ctx, it does the following: ctx->major = gss_init_sec_context(&ctx->minor, GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 0, NULL, recv_tok, NULL, send_tok, flags, NULL); I don?t see anything in the RFC 4462 errata about this recommendation ha...

...krb5.M1pz6T. Errno Permission denied Domain Users Administrators Group Policy Creator Owners Enterprise Admins Schema Admins Remote Desktop Users Group Domain Admins If run as root I get this. root at osticket:~# net ads user info administrator -U administrator Enter administrator's password: gss_init_sec_context failed with [ Miscellaneous failure (see text): encryption type 3 not supported] kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. gss_init_sec_context failed with [ Miscellaneous failure (see text): encryption type 3 not supported] gss_init_sec_context fa...

...orks for me, but on Devuan (Debian Buster sans systemd), why is > it trying to create a temporary krb5.conf ? >> >> If run as root I get this. >> >> root at osticket:~# net ads user info administrator -U administrator >> Enter administrator's password: >> gss_init_sec_context failed with [ Miscellaneous failure (see text): >> encryption type 3 not supported] >> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An >> internal error occurred. >> gss_init_sec_context failed with [ Miscellaneous failure (see text): >> encryption...

...orking. On member servers (file servers in my case), even with an ID mapping set up in smb.conf, wbinfo -u --domain=<other domain> returns nothing, and I see errors in log.wb-<domain>: [2016/07/11 13:48:25.449458, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ Miscellaneous failure (see text): Key version is not available] [2016/07/11 13:48:25.449700, 0] ../source3/libads/sasl.c:773(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. [2016/07/11 13:48:26.015483, 0] ../sour...

...le: > klist -ke This is a step I was missing. What is the purpose of the keytab? Can it help with the default ticket FILE:/tmp/krb5cc_0 expiration? I'm also facing this problem, although everything seems to work fine. I've tested with smbclient and a Windows client. # net ads testjoin gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: No credentials cache found] Join is OK #

Hi, I used Samba 4.0.5 in Wheezy. Here is that I have done: --------------------------------------------------------------- samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \ --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' echo "nameserver 192.168.0.21" > /etc/resolv.conf samba ln -s /usr/local/samba/lib/libnss_winbind.so

...without waiting for a server token (since the authentication is complete as soon as the client token is sent when mutual auth is disabled), I get a failure from OpenSSH: >> > > From the above comment, you are assuming that there will be no other tokens exchanged. > > After the gss_init_sec_context, you need to send any token from gss_init_sec_context > and if the status in not complete (or not an error) wait to receive the next token and call gss_init_sec_context > in a loop. > > GSS is not Kerberos specific and some other gss mechanisms will exchange multiple tokens. [Ron] Und...

...ine the libraries to be linked into the final binaries on openSUSE 10.2 (and before) when /usr/lib/libgssapi* exists, i.e. the libgssapi.rpm package is installed. krb5 and krb5-devel are installed to. I suppose this problem also surfaces on other distributions. configure output is: checking for gss_init_sec_context in -lgssapi... yes but actually compiling and linking the program suite yields: gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o...

...Permission denied > That works for me, but on Devuan (Debian Buster sans systemd), why is it trying to create a temporary krb5.conf ? > > If run as root I get this. > > root at osticket:~# net ads user info administrator -U administrator > Enter administrator's password: > gss_init_sec_context failed with [ Miscellaneous failure (see text): > encryption type 3 not supported] > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > internal error occurred. > gss_init_sec_context failed with [ Miscellaneous failure (see text): > encryption type 3 not supported...

On Sat, 12 Aug 2017 05:56:36 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote: > On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez Vega via > samba wrote: > > gss_init_sec_context failed with [ The context has expired: Success] > > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: > > NT_STATUS_INTERNAL_ERROR > > Can you please show me your smb.conf? > > I gse_krb5 shouldn't run on an AD DC, so I think the smb.conf is > somehow set up as a fil...

...- I have all the keytabs for a host(I think) but I noticed weird(to me at least) smbclient behavior. when I do: $ smbclient -L swir -U me at AAA.PRIVATE.DOM -k all works, clients sees local samba's shares, when I do: $ smbclient -L swir.private.aaa.private.dom -U pe243 at AAA.PRIVATE.DOM -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit reques...

> Not sure what would cause that error message, nor have I experienced it. Looks like other people have seen it: > https://www.google.com/?gws_rd=ssl#q=gss_init_sec_context+failed+with+%5BUnspecified+GSS+failure.++Minor+code+may+provide+more+information:+No+credentials+cache+found I found no way to get rid of this, although everything seems to work fine. Red Hat need to push out an update to samba4 and fix bug 10604. It's highly irritating, and the workaround ht...

Hi All Is this behaviour expected in smbclient: I have a kerberized Samba server and a share that works as expected on desktop clients, but when I use smbclient with a valid ticket with the -k flag I get a KDC lookup failure kev at client:/home/testuser$ smbclient -k -L //fileserver gss_init_sec_context failed with [ Miscellaneous failure (see text): unable to reach any KDC in realm LAN] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR I've noticed that if I configure the KDC server in the [realm] section of my /etc/krb5....

...; (file servers in my case), even with an ID mapping set up in smb.conf, > wbinfo -u --domain=<other domain> returns nothing, and I see errors in > log.wb-<domain>: > > [2016/07/11 13:48:25.449458, 0] > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > gss_init_sec_context failed with [ Miscellaneous failure (see text): > Key version is not available] > [2016/07/11 13:48:25.449700, 0] > ../source3/libads/sasl.c:773(ads_sasl_spnego_bind) > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > internal error occurred. > [2016/07/11 13:...

Hi everyone, I am trying to release a server using ‍‍CentOS 6.8 + Samba4 (Winbind - LDAP + Kerberos) + NSS. I was able to join the domain, but I still getting this warning/error message: [root at snfs2 ~]# net ads join -U myuser Enter myuser's password: ***gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: No credentials cache found]*** Using short domain name -- MYDOMAIN Joined 'SNFS2' to dns domain 'MYDOMAIN.com' Kerberos delivers the ticket normally: [root at snfs2 ~]# kinit myuser Password for myuser...

...ncrypted keys which can be used to authenticate without entering a password. That should address your ticket expiration issue. > I'm also facing this problem, although everything seems to work fine. I've > tested with smbclient and a Windows client. > > # net ads testjoin > gss_init_sec_context failed with [Unspecified GSS failure. Minor code may > provide more information: No credentials cache found] Join is OK # Not sure what would cause that error message, nor have I experienced it. Looks like other people have seen it: https://www.google.com/?gws_rd=ssl#q=gss_init_sec_context+fai...

http://bugzilla.mindrot.org/show_bug.cgi?id=635 ------- Additional Comments From mmokrejs at natur.cuni.cz 2003-10-17 21:13 ------- Please commit the patch http://bugzilla.mindrot.org/attachment.cgi?id=396&action=view and close this bug. KRB5 does not work, but I don't care anymore as there's krb4 patch from ftp://ftp.mcc.ac.uk/pub/misc/ssh/ . :) Thanks! ------- You are