Re: [Freeipa-users] a bit off topic- samba + sssd => AD

Fri, 03 Jun 2016 07:17:02 -0700 

On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote:
> hi users,
> 
> I have a samba and sssd trying AD, it's 7.2 Linux.
> 
> That linux box is via sssd and samba talking to AD DC and win10 clients get
> to samba shares, getent pass sees AD users, samba can get to DC's shares and
> win10's clients shares, all good except...
> 
> smbclient @samba, in other words - to itself - fails
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> and with smbclient -k
> 
> gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
> provide more information: Server cifs/swir.private....@private.dom not found
> in Kerberos database]

Which realm is PRIVATE.DOM? What does

    $ klist -k -t /etc/krb5.swir.ccnr.keytab

return?

bye,
Sumit

> 
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
> session setup failed: NT_STATUS_INTERNAL_ERROR
> 
> here is a snippet from smb.conf which I thought has relevance, I set it up
> following samba sssd wiki.
> 
>    security = ads
>   realm = CCNR.DOM
>   workgroup = CCNR
> 
>   kerberos method = secrets and keytab
>   dedicated keytab file = /etc/krb5.swir.ccnr.keytab
>   client signing = auto
>   client use spnego = yes
>   encrypt passwords = yes
>   password server = ccnr-winsrv1.ccnr.dom
>   netbios name = SWIR
> 
>   template shell = /bin/bash
>   template homedir = /home/%D/%U
> 
>   preferred master = no
>   dns proxy = no
>   wins server = ccnr-winsrv1.ccnr.dom
>   wins proxy = no
> 
>   inherit acls = Yes
>   map acl inherit = Yes
>   acl group control = yes
> 
> 
> and in samba log:
> 
>   domain_client_validate: Domain password server not available.
> 
> I've tried samba user list, dead silence.
> 
> many thanks,
> 
> L.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to