[Freeipa-users] a bit off topic- samba + sssd => AD

[lejeczek]

hi users,

I have a samba and sssd trying AD, it's 7.2 Linux.

That linux box is via sssd and samba talking to AD DC and 
win10 clients get to samba shares, getent pass sees AD 
users, samba can get to DC's shares and win10's clients 
shares, all good except...

smbclient @samba, in other words - to itself - fails

session setup failed: NT_STATUS_LOGON_FAILURE

and with smbclient -k

gss_init_sec_context failed with [Unspecified GSS failure.  
Minor code may provide more information: Server 
cifs/swir.private.dom at PRIVATE.DOM not found in Kerberos 
database]

SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: 
NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR

here is a snippet from smb.conf which I thought has 
relevance, I set it up following samba sssd wiki.

    security = ads
   realm = CCNR.DOM
   workgroup = CCNR

   kerberos method = secrets and keytab
   dedicated keytab file = /etc/krb5.swir.ccnr.keytab
   client signing = auto
   client use spnego = yes
   encrypt passwords = yes
   password server = ccnr-winsrv1.ccnr.dom
   netbios name = SWIR

   template shell = /bin/bash
   template homedir = /home/%D/%U

   preferred master = no
   dns proxy = no
   wins server = ccnr-winsrv1.ccnr.dom
   wins proxy = no

   inherit acls = Yes
   map acl inherit = Yes
   acl group control = yes


and in samba log:

   domain_client_validate: Domain password server not available.

I've tried samba user list, dead silence.

many thanks,

L.