[Samba] Kerberos problems with only some servers

Arne Zachlod arne at nerdkeller.org
Thu Apr 29 08:35:16 UTC 2021 

Yes, time is OK:

root at adfs01:~# date -R
Thu, 29 Apr 2021 10:33:37 +0200

root at addc08:~# date -R
Thu, 29 Apr 2021 10:33:47 +0200

On 4/29/21 10:29 AM, L.P.H. van Belle via samba wrote:
> Is time in sync?
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
>> Zachlod via samba
>> Verzonden: donderdag 29 april 2021 10:08
>> Aan: samba
>> Onderwerp: [Samba] Kerberos problems with only some servers
>>
>> Hi,
>>
>> I have a weird Kerberos problem (I think) that pretty much
>> came over night.
>>
>> I have a domain with multiple DCs (Debian/Samba 4.11), all in
>> different
>> AD Sites. Replication works according to 'samba-tool drs showrepl'.
>>
>> In the sites I have Linux based fileservers as domain members and
>> Windows based clients. Somehow, it's not possible anymore to log into
>> some of the file servers. On Windows, the Client just asks
>> for username
>> + password, and if you give both, it won't get accepted.
>>
>> On the file server, I get these log entrys:
>>
>> [2021/04/29 09:39:37.439432,  1]
>> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>>     gss_accept_sec_context failed with [ Miscellaneous failure (see
>> text): Decrypt integrity check failed for checksum type
>> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
>> [2021/04/29 09:39:37.439817,  1]
>> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>>     SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>
>> wbinfo -u also returns empty on the file server, but not on
>> any of the
>> DCs. I'm a bit puzzled and don't really know what to do/ how
>> to debug.
>> Has anyone any idea how to debug this situation any further?
>>
>> - Arne
>>
>> ====== krb5.conf - same on all servers
>>
>> [libdefaults]
>> 	default_realm = INT.SAMDOM.DE
>> 	dns_lookup_realm = false
>> 	dns_lookup_kdc = true
>>
>> ====== smb.conf fore the DC ========
>>
>> # Global parameters
>> [global]
>> 	workgroup = SAMDOM
>> 	realm = int.samdom.de
>> 	netbios name = ADDC08
>> 	server role = active directory domain controller
>> 	dns forwarder = 10.1.1.1
>> 	idmap_ldb:use rfc2307 = yes
>> 	server signing = Auto
>> 	allow dns updates = nonsecure
>>
>> [netlogon]
>> 	path = /var/lib/samba/sysvol/int.samdom.de/scripts
>> 	read only = No
>>
>> [sysvol]
>> 	path = /var/lib/samba/sysvol
>> 	read only = No
>>
>> ===== smb.conf on one of the FS ====
>>
>> [global]
>> 	netbios name = ADFS01
>> 	security = ADS
>> 	workgroup = SAMDOM
>> 	realm = INT.SAMDOM.DE
>>
>> 	logfile = /var/log/samba/%m.log
>> 	log level = 1
>>
>> 	idmap config *:backend = tdb
>> 	idmap config *:range = 2000-9999
>>
>> 	# idmap config for domain SAMDOM
>> 	idmap config SAMDOM:backend = ad
>> 	idmap config SAMDOM:schema_mode = rfc2307
>> 	idmap config SAMDOM:range = 10000-99999
>>
>> 	# Use settings from AD for login shell and home directory
>> 	winbind nss info = rfc2307
>> 	
>> 	winbind enum users = yes
>> 	winbind enum groups = yes
>> 	winbind use default domain = yes
>> 	winbind refresh tickets = yes
>>
>> 	kerberos method = secrets and keytab
>> 	dedicated keytab file = /etc/krb5.keytab
>>
>> 	# fileshare options
>> 	vfs objects = acl_xattr
>> 	map acl inherit = yes
>> 	store dos attributes = yes
>>
>> # test share
>>
>> [test]
>> 	path = /srv/samba/test
>> 	read only = no
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
>

More information about the samba mailing list