[Samba] Kerberos problems with only some servers

Arne Zachlod arne at nerdkeller.org
Thu Apr 29 08:07:53 UTC 2021 

Hi,

I have a weird Kerberos problem (I think) that pretty much came over night.

I have a domain with multiple DCs (Debian/Samba 4.11), all in different 
AD Sites. Replication works according to 'samba-tool drs showrepl'.

In the sites I have Linux based fileservers as domain members and 
Windows based clients. Somehow, it's not possible anymore to log into 
some of the file servers. On Windows, the Client just asks for username 
+ password, and if you give both, it won't get accepted.

On the file server, I get these log entrys:

[2021/04/29 09:39:37.439432,  1] 
../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
   gss_accept_sec_context failed with [ Miscellaneous failure (see 
text): Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
[2021/04/29 09:39:37.439817,  1] 
../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
   SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

wbinfo -u also returns empty on the file server, but not on any of the 
DCs. I'm a bit puzzled and don't really know what to do/ how to debug. 
Has anyone any idea how to debug this situation any further?

- Arne

====== krb5.conf - same on all servers

[libdefaults]
	default_realm = INT.SAMDOM.DE
	dns_lookup_realm = false
	dns_lookup_kdc = true

====== smb.conf fore the DC ========

# Global parameters
[global]
	workgroup = SAMDOM
	realm = int.samdom.de
	netbios name = ADDC08
	server role = active directory domain controller
	dns forwarder = 10.1.1.1
	idmap_ldb:use rfc2307 = yes
	server signing = Auto
	allow dns updates = nonsecure

[netlogon]
	path = /var/lib/samba/sysvol/int.samdom.de/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

===== smb.conf on one of the FS ====

[global]
	netbios name = ADFS01
	security = ADS
	workgroup = SAMDOM
	realm = INT.SAMDOM.DE

	logfile = /var/log/samba/%m.log
	log level = 1

	idmap config *:backend = tdb
	idmap config *:range = 2000-9999

	# idmap config for domain SAMDOM
	idmap config SAMDOM:backend = ad
	idmap config SAMDOM:schema_mode = rfc2307
	idmap config SAMDOM:range = 10000-99999

	# Use settings from AD for login shell and home directory
	winbind nss info = rfc2307
	
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes

	kerberos method = secrets and keytab
	dedicated keytab file = /etc/krb5.keytab

	# fileshare options
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

# test share

[test]
	path = /srv/samba/test
	read only = no

More information about the samba mailing list