[Samba] DM 3.6.25 -> 4.x

Stefan G. Weichinger lists at xunil.at
Sat Jun 30 18:55:35 UTC 2018 

That domain member server worked fine for about 2 weeks until today.

Somehow the DNS-record didn't work anymore, I did a rejoin and added 
some kerberos-related lines to smb.conf

# 2 lines old
winbind cache time = 10
winbind use default domain = yes

# new lines
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes

created keytab, restarted etc

-

smbclient worked, right now I get:
  # smbclient  \\\\u1mycustomer\\IT -U sgw
Enter mycustomer\sgw's password:
gse_get_client_auth_token: gss_init_sec_context failed with [Unspecified 
GSS failure.  Minor code may provide more information: The ticket isn't 
for us](2529638947)
SPNEGO(gse_krb5) login failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE

-
[2018/06/30 20:53:32.297500,  1] 
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
   gss_accept_sec_context failed with [Unspecified GSS failure.  Minor 
code may provide more information: Request ticket server 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA kvno 277 not found 
in keytab; keytab is likely out of date]
[2018/06/30 20:53:32.372971,  1] 
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
   gss_accept_sec_context failed with [Unspecified GSS failure.  Minor 
code may provide more information: Request ticket server 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA kvno 277 not found 
in keytab; keytab is likely out of date]

-
# net ads keytab list
Vno  Type                                        Principal
   8  DES cbc mode with CRC-32 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA
   8  DES cbc mode with RSA-MD5 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA
   8  AES-128 CTS mode with 96-bit SHA-1 HMAC 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA
   8  AES-256 CTS mode with 96-bit SHA-1 HMAC 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA
   8  ArcFour with HMAC/md5 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA

-

I did some recreate of that keytab already (flush, create, restart samba 
... in several combos)

hm

any advice?

More information about the samba mailing list