Estou tentando liberar um servidor usando CentOS 6.8
+ Samba4 (Winbind - LDAP + Kerberos)
+ NSS
.
Consegui ingressar no domínio, mas ainda recebo esta mensagem de aviso / erro:
[root@snfs2 ~]# net ads join -U myuser
Enter myuser's password:
***gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: No credentials cache found]***
Using short domain name -- MYDOMAIN
Joined 'SNFS2' to dns domain 'MYDOMAIN.com'
O Kerberos entrega o ticket normalmente:
[root@snfs2 ~]# kinit myuser
Password for [email protected]:
[root@snfs2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
07/13/16 12:44:49 07/13/16 22:44:51 krbtgt/[email protected]
renew until 07/13/16 22:44:49
Abaixo, você pode encontrar meu conteúdo de configuração:
[root@snfs2 ~]# cat /etc/samba/smb.conf
#####################
## GLOBAL SETTINGS ##
#####################
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
security = ads
server string = snfs2.MYDOMAIN.com
server max protocol = SMB3
encrypt passwords = true
unix extensions = false
client use spnego = true
## winbind
winbind use default domain = true
winbind offline logon = false
winbind cache time = 300
winbind nested groups = true
winbind enum users = true
winbind enum groups = true
winbind refresh tickets = true
winbind nss info = rfc2307
winbind rpc only = false
idmap config * : range = 16777216-33554431
## idmap config MYDOMAIN ##
idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 1000-999999
idmap config MYDOMAIN : readonly = true
## logging
log file = /var/log/samba/log.%m
max log size = 2000
log level = 2
syslog only = true
## printers
load printers = no
printcap = /dev/null
disable spoolss = yes
[root@snfs2 ~]# net ads testjoin
gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: No credentials cache found]
Join is OK
[root@snfs2 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# Note: Heimdal 1.3.1 deprecated DES encryption which is required for A'D authentication before Windows Server 2008.
allow_weak_crypto = true
[realms]
MYDOMAIN.COM = {
kdc = MYDOMAIN1.MYDOMAIN.com:88
kdc = MYDOMAIN2.MYDOMAIN.com:88
admin_server = MYDOMAIN1.MYDOMAIN.com:749
}
[domain_realm]
MYDOMAIN.com = MYDOMAIN.COM
.MYDOMAIN.com = MYDOMAIN.COM
nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
Alguém tem alguma idéia do que está causando esta mensagem?