[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }Hi,
I've seen many people complain about this error message by Googling
around, but I've never found a satisfactory explanation as to the
cause and resolution. I'm hoping someone on the list will be able to
point me in the right direction?
I'm attempting to get a RHEL 5.5 client configured to use winbind
auth against Windows 2003 R2 AD (in fact my end game is to get all
NIS maps served from AD, but one step at a time).
I've been following these steps:
http://wiki.samba.org/index.php/Samba_&_Active_Directory
But when I come to issue the 'net ads join' command:
# net ads join -U administrator
administrator's password:
[2011/09/20 10:57:00, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
credentials
Failed to join domain: Invalid credentials
So having manually configured it, I decided maybe 'authconfig' could
help. I have no graphics here, so tried a command-line approach:
# authconfig --enablecache --enablewinbind --enablewinbindauth
--smbsecurity ads --smbrealm FMTEST.NET
--smbidmapuid=100-4294967294 --smbidmapgid=100-4294967294
--enablewinbindusedefaultdomain
--enablewinbindoffline --winbindjoin=Administrator --update
This made no difference (same error when trying to join). Apart
from adding the 'winbind offline logon' option which I omitted from
my manual approach, using the old idmap features instead of the new
ones, and setting up PAM for winbind (which I hadn't got around to
yet) there was no difference in config.
Debug modes, RHEL logs, Windows event logs, network traces - I've
looked at them all and can't find anything that points to the exact
problem.
Some pertinent info:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
# rpm -qa | egrep 'samba|libsmb'
libsmbclient-3.0.33-3.29.el5_5.1
samba-client-3.0.33-3.29.el5_5.1
samba-3.0.33-3.29.el5_5.1
samba-common-3.0.33-3.29.el5_5.1
# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = FMTEST
realm = FMTEST.NET
server string = Linux Test Machine
security = ADS
passdb backend = tdbsam
log file = /var/log/samba/%m.log
preferred master = No
idmap domains = ALLDOMAINS
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:backend = ad
idmap config ALLDOMAINS:range = 100-4294967294
idmap config ALLDOMAINS:schema_mode = rfc2307
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FMTEST.NET
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
FMTEST.NET = {
default_domain = fmtest.net
}
[domain_realm]
.fmtest.net = FMTEST.NET
fmtest.net = FMTEST.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Can you advise?
Thanks,
Mark.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
I have configured samba to use ADS and we need to configure strong authentication with client ldap sasl wrapping = seal or sign . Samba version is 3.2.4 We are using openladp latest version Any idea what is wrong ? [2008/10/10 08:56:40, 0] libads/sasl.c:ads_sasl_spnego_gsskrb5_bind(593) ads_setup_sasl_wrapping() failed: NT_STATUS_NOT_SUPPORTED [2008/10/10 08:56:40, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: NT_STATUS_NOT_SUPPORTED -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
I experienced this problem on a Red Hat Enterprise Linux 5.1 system when running Samba 3.0.25b-1.el5_1.4, the RHEL supplied version of Samba. Previously I was able to join this same system to our AD domain when it was running RHEL 5/Samba 3.0.23c-2.el5.2.0.2. After this system was upgraded to RHEL 5.1/Samba 3.0.25b-1.el5_1.4 I was not able re-join this system to our AD domain. I ended up downgrading to the /usr/bin/net binary to one from Samba 3.0.23c-2.el5.2.0.2, the previous RHEL supplied version. I did that by downloading samba-common-3.0.23c-2.el5.2.0.2.i386.rpm from Red Hat and extracting /usr/bin/net from the rpm by running: "rpm2cpio samba-common-3.0.23c-2.el5.2.0.2.i386.rpm | cpio -iv --make-directories ./usr/bin/net" That extracted the 3.0.23c-2.el5.2.0.2 version of /usr/bin/net into my cwd. Then I ran "mv /usr/bin/net /usr/bin/net.bak" to backup the 3.0.25b-1.el5_1.4 version and then copied the older /usr/bin/net binary that I extracted from the rpm to /usr/bin. Once I did that, I was able to rejoin this system to our domain. Andrew Philipoff Programmer Analyst Information Technology Services Department of Medicine University of California, San Francisco Phone: 415-476-1344 Help Desk: 415-476-6827 http://domsupport.ucsf.edu/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Lee Mondia Sent: Monday, March 17, 2008 5:38 PM To: samba@lists.samba.org Subject: [Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed Hi all, I'm having trouble joining samba to active directory. My samba version is 3.0.28a-35 and krb is 1.6.1-17.el5. It's running on centos 5, kernel version 2.6.18-53.1.14.el5. It's running on vmware server by the way if that is of any significance. The specific error that I get are as follows: when testjoining the domain: [2008/03/18 04:34:07, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed Join to domain is not valid: Logon failure is a valid domain, on a windows 2003 r2 server. It's already added to the hosts file as well as configured as the DNS server. hostname of this host can also be resovled. This is strange, considering I can get the ticket using kinit. I know some people have posted about this before, but it was on a previous samba version. I don't know if it is with samba versions, but i also upgraded from 3.0.25b, since i found somewhere in this post that it's a buggy version. On last thing, I also got the same problem on a Centos 4.4 installation, also with installed 3.0.28a-35. Any help will be highly appreciated. I'm willing to give you all the required configuration files if you need it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] kinit succeeded but ads_sasl_spnego_krb5_bind failed
Hi all, I'm having trouble joining samba to active directory. My samba version is 3.0.28a-35 and krb is 1.6.1-17.el5. It's running on centos 5, kernel version 2.6.18-53.1.14.el5. It's running on vmware server by the way if that is of any significance. The specific error that I get are as follows: when testjoining the domain: [2008/03/18 04:34:07, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed Join to domain is not valid: Logon failure is a valid domain, on a windows 2003 r2 server. It's already added to the hosts file as well as configured as the DNS server. hostname of this host can also be resovled. This is strange, considering I can get the ticket using kinit. I know some people have posted about this before, but it was on a previous samba version. I don't know if it is with samba versions, but i also upgraded from 3.0.25b, since i found somewhere in this post that it's a buggy version. On last thing, I also got the same problem on a Centos 4.4 installation, also with installed 3.0.28a-35. Any help will be highly appreciated. I'm willing to give you all the required configuration files if you need it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
