[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }Hi, I've seen many people complain about this error message by Googling around, but I've never found a satisfactory explanation as to the cause and resolution. I'm hoping someone on the list will be able to point me in the right direction? I'm attempting to get a RHEL 5.5 client configured to use winbind auth against Windows 2003 R2 AD (in fact my end game is to get all NIS maps served from AD, but one step at a time). I've been following these steps: http://wiki.samba.org/index.php/Samba_&_Active_Directory But when I come to issue the 'net ads join' command: # net ads join -U administrator administrator's password: [2011/09/20 10:57:00, 0] libads/sasl.c:ads_sasl_spnego_bind(330) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: Invalid credentials So having manually configured it, I decided maybe 'authconfig' could help. I have no graphics here, so tried a command-line approach: # authconfig --enablecache --enablewinbind --enablewinbindauth --smbsecurity ads --smbrealm FMTEST.NET --smbidmapuid=100-4294967294 --smbidmapgid=100-4294967294 --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=Administrator --update This made no difference (same error when trying to join). Apart from adding the 'winbind offline logon' option which I omitted from my manual approach, using the old idmap features instead of the new ones, and setting up PAM for winbind (which I hadn't got around to yet) there was no difference in config. Debug modes, RHEL logs, Windows event logs, network traces - I've looked at them all and can't find anything that points to the exact problem. Some pertinent info: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.5 (Tikanga) # rpm -qa | egrep 'samba|libsmb' libsmbclient-3.0.33-3.29.el5_5.1 samba-client-3.0.33-3.29.el5_5.1 samba-3.0.33-3.29.el5_5.1 samba-common-3.0.33-3.29.el5_5.1 # testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = FMTEST realm = FMTEST.NET server string = Linux Test Machine security = ADS passdb backend = tdbsam log file = /var/log/samba/%m.log preferred master = No idmap domains = ALLDOMAINS winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind offline logon = Yes idmap config ALLDOMAINS:default = yes idmap config ALLDOMAINS:backend = ad idmap config ALLDOMAINS:range = 100-4294967294 idmap config ALLDOMAINS:schema_mode = rfc2307 # cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FMTEST.NET dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] FMTEST.NET = { default_domain = fmtest.net } [domain_realm] .fmtest.net = FMTEST.NET fmtest.net = FMTEST.NET [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Can you advise? Thanks, Mark. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
I have configured samba to use ADS and we need to configure strong authentication with client ldap sasl wrapping = seal or sign . Samba version is 3.2.4 We are using openladp latest version Any idea what is wrong ? [2008/10/10 08:56:40, 0] libads/sasl.c:ads_sasl_spnego_gsskrb5_bind(593) ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED [2008/10/10 08:56:40, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
I experienced this problem on a Red Hat Enterprise Linux 5.1 system when running Samba 3.0.25b-1.el5_1.4, the RHEL supplied version of Samba. Previously I was able to join this same system to our AD domain when it was running RHEL 5/Samba 3.0.23c-2.el5.2.0.2. After this system was upgraded to RHEL 5.1/Samba 3.0.25b-1.el5_1.4 I was not able re-join this system to our AD domain. I ended up downgrading to the /usr/bin/net binary to one from Samba 3.0.23c-2.el5.2.0.2, the previous RHEL supplied version. I did that by downloading samba-common-3.0.23c-2.el5.2.0.2.i386.rpm from Red Hat and extracting /usr/bin/net from the rpm by running: "rpm2cpio samba-common-3.0.23c-2.el5.2.0.2.i386.rpm | cpio -iv --make-directories ./usr/bin/net" That extracted the 3.0.23c-2.el5.2.0.2 version of /usr/bin/net into my cwd. Then I ran "mv /usr/bin/net /usr/bin/net.bak" to backup the 3.0.25b-1.el5_1.4 version and then copied the older /usr/bin/net binary that I extracted from the rpm to /usr/bin. Once I did that, I was able to rejoin this system to our domain. Andrew Philipoff Programmer Analyst Information Technology Services Department of Medicine University of California, San Francisco Phone: 415-476-1344 Help Desk: 415-476-6827 http://domsupport.ucsf.edu/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Lee Mondia Sent: Monday, March 17, 2008 5:38 PM To: samba@lists.samba.org Subject: [Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed Hi all, I'm having trouble joining samba to active directory. My samba version is 3.0.28a-35 and krb is 1.6.1-17.el5. It's running on centos 5, kernel version 2.6.18-53.1.14.el5. It's running on vmware server by the way if that is of any significance. The specific error that I get are as follows: when testjoining the domain: [2008/03/18 04:34:07, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed Join to domain is not valid: Logon failure is a valid domain, on a windows 2003 r2 server. It's already added to the hosts file as well as configured as the DNS server. hostname of this host can also be resovled. This is strange, considering I can get the ticket using kinit. I know some people have posted about this before, but it was on a previous samba version. I don't know if it is with samba versions, but i also upgraded from 3.0.25b, since i found somewhere in this post that it's a buggy version. On last thing, I also got the same problem on a Centos 4.4 installation, also with installed 3.0.28a-35. Any help will be highly appreciated. I'm willing to give you all the required configuration files if you need it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
Hi all, I'm having trouble joining samba to active directory. My samba version is 3.0.28a-35 and krb is 1.6.1-17.el5. It's running on centos 5, kernel version 2.6.18-53.1.14.el5. It's running on vmware server by the way if that is of any significance. The specific error that I get are as follows: when testjoining the domain: [2008/03/18 04:34:07, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed Join to domain is not valid: Logon failure is a valid domain, on a windows 2003 r2 server. It's already added to the hosts file as well as configured as the DNS server. hostname of this host can also be resovled. This is strange, considering I can get the ticket using kinit. I know some people have posted about this before, but it was on a previous samba version. I don't know if it is with samba versions, but i also upgraded from 3.0.25b, since i found somewhere in this post that it's a buggy version. On last thing, I also got the same problem on a Centos 4.4 installation, also with installed 3.0.28a-35. Any help will be highly appreciated. I'm willing to give you all the required configuration files if you need it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba