On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: > hi users, > > I have a samba and sssd trying AD, it's 7.2 Linux. > > That linux box is via sssd and samba talking to AD DC and win10 clients get > to samba shares, getent pass sees AD users, samba can get to DC's shares and > win10's clients shares, all good except... > > smbclient @samba, in other words - to itself - fails > > session setup failed: NT_STATUS_LOGON_FAILURE > > and with smbclient -k > > gss_init_sec_context failed with [Unspecified GSS failure. Minor code may > provide more information: Server cifs/swir.private....@private.dom not found > in Kerberos database]
Which realm is PRIVATE.DOM? What does $ klist -k -t /etc/krb5.swir.ccnr.keytab return? bye, Sumit > > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR > Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR > session setup failed: NT_STATUS_INTERNAL_ERROR > > here is a snippet from smb.conf which I thought has relevance, I set it up > following samba sssd wiki. > > security = ads > realm = CCNR.DOM > workgroup = CCNR > > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.swir.ccnr.keytab > client signing = auto > client use spnego = yes > encrypt passwords = yes > password server = ccnr-winsrv1.ccnr.dom > netbios name = SWIR > > template shell = /bin/bash > template homedir = /home/%D/%U > > preferred master = no > dns proxy = no > wins server = ccnr-winsrv1.ccnr.dom > wins proxy = no > > inherit acls = Yes > map acl inherit = Yes > acl group control = yes > > > and in samba log: > > domain_client_validate: Domain password server not available. > > I've tried samba user list, dead silence. > > many thanks, > > L. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project