While looking for reasons why logging in to a samba machines joined to Active Directory is slow I have the strong impression that the following error in my log file could be a hint.
Apr 3 14:44:14 eu2 winbindd[19632]: [2014/04/03 14:44:14.166820, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
Apr 3 14:44:14 eu2 winbindd[19632]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm
There are about 5 to 20 of these entries for each connection and I am trying to understand where the issue is. After days of searching the closest I can come with is another SF question which suggests possible DNS problems.
The facts:
1/ kinit worked and I got a ticket
root@eu2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: yop@DOMAIN.EXAMPLE.COM
Valid starting Expires Service principal
04/03/2014 13:55:24 04/03/2014 23:55:24 krbtgt/DOMAIN.EXAMPLE.COM@DOMAIN.EXAMPLE.COM
renew until 04/04/2014 13:55:19
2/ /etc/krb.conf is
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
This configuration comes from the Samba and Active Directory Wiki.
3/ I checked that the DNS is doing its work (to quote the wiki above):
root@eu2:~# host -t srv _kerberos._tcp.DOMAIN.EXAMPLE.COM
;; Truncated, retrying in TCP mode.
_kerberos._tcp.DOMAIN.EXAMPLE.COM has SRV record 0 100 88 server1.etc.etc...
_kerberos._tcp.DOMAIN.EXAMPLE.COM has SRV record 0 100 88 server2.etc.etc...
(...)
4/ winbind version is 4.1.6-Debian
5/ browsing the shares of the machine which require authenticated access is quick and does not generate error logs. Logging in does. Maybe this is a PAM issue?
Any idea what the error message in the logs can mean and what would be the typical root cause?
