[Freeipa-users] a bit off topic- samba + sssd => AD
Sumit Bose
sbose at redhat.com
Fri Jun 3 14:11:20 UTC 2016
On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote:
> hi users,
>
> I have a samba and sssd trying AD, it's 7.2 Linux.
>
> That linux box is via sssd and samba talking to AD DC and win10 clients get
> to samba shares, getent pass sees AD users, samba can get to DC's shares and
> win10's clients shares, all good except...
>
> smbclient @samba, in other words - to itself - fails
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> and with smbclient -k
>
> gss_init_sec_context failed with [Unspecified GSS failure. Minor code may
> provide more information: Server cifs/swir.private.dom at PRIVATE.DOM not found
> in Kerberos database]
Which realm is PRIVATE.DOM? What does
$ klist -k -t /etc/krb5.swir.ccnr.keytab
return?
bye,
Sumit
>
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> here is a snippet from smb.conf which I thought has relevance, I set it up
> following samba sssd wiki.
>
> security = ads
> realm = CCNR.DOM
> workgroup = CCNR
>
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.swir.ccnr.keytab
> client signing = auto
> client use spnego = yes
> encrypt passwords = yes
> password server = ccnr-winsrv1.ccnr.dom
> netbios name = SWIR
>
> template shell = /bin/bash
> template homedir = /home/%D/%U
>
> preferred master = no
> dns proxy = no
> wins server = ccnr-winsrv1.ccnr.dom
> wins proxy = no
>
> inherit acls = Yes
> map acl inherit = Yes
> acl group control = yes
>
>
> and in samba log:
>
> domain_client_validate: Domain password server not available.
>
> I've tried samba user list, dead silence.
>
> many thanks,
>
> L.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list