[Samba] Kerberos problems with only some servers
Arne Zachlod
arne at nerdkeller.org
Thu Apr 29 08:07:53 UTC 2021
Hi,
I have a weird Kerberos problem (I think) that pretty much came over night.
I have a domain with multiple DCs (Debian/Samba 4.11), all in different
AD Sites. Replication works according to 'samba-tool drs showrepl'.
In the sites I have Linux based fileservers as domain members and
Windows based clients. Somehow, it's not possible anymore to log into
some of the file servers. On Windows, the Client just asks for username
+ password, and if you give both, it won't get accepted.
On the file server, I get these log entrys:
[2021/04/29 09:39:37.439432, 1]
../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
[2021/04/29 09:39:37.439817, 1]
../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
wbinfo -u also returns empty on the file server, but not on any of the
DCs. I'm a bit puzzled and don't really know what to do/ how to debug.
Has anyone any idea how to debug this situation any further?
- Arne
====== krb5.conf - same on all servers
[libdefaults]
default_realm = INT.SAMDOM.DE
dns_lookup_realm = false
dns_lookup_kdc = true
====== smb.conf fore the DC ========
# Global parameters
[global]
workgroup = SAMDOM
realm = int.samdom.de
netbios name = ADDC08
server role = active directory domain controller
dns forwarder = 10.1.1.1
idmap_ldb:use rfc2307 = yes
server signing = Auto
allow dns updates = nonsecure
[netlogon]
path = /var/lib/samba/sysvol/int.samdom.de/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
===== smb.conf on one of the FS ====
[global]
netbios name = ADFS01
security = ADS
workgroup = SAMDOM
realm = INT.SAMDOM.DE
logfile = /var/log/samba/%m.log
log level = 1
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# fileshare options
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# test share
[test]
path = /srv/samba/test
read only = no
More information about the samba
mailing list