[Samba] Kerberos problems with only some servers
Arne Zachlod
arne at nerdkeller.org
Thu Apr 29 08:35:16 UTC 2021
Yes, time is OK:
root at adfs01:~# date -R
Thu, 29 Apr 2021 10:33:37 +0200
root at addc08:~# date -R
Thu, 29 Apr 2021 10:33:47 +0200
On 4/29/21 10:29 AM, L.P.H. van Belle via samba wrote:
> Is time in sync?
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
>> Zachlod via samba
>> Verzonden: donderdag 29 april 2021 10:08
>> Aan: samba
>> Onderwerp: [Samba] Kerberos problems with only some servers
>>
>> Hi,
>>
>> I have a weird Kerberos problem (I think) that pretty much
>> came over night.
>>
>> I have a domain with multiple DCs (Debian/Samba 4.11), all in
>> different
>> AD Sites. Replication works according to 'samba-tool drs showrepl'.
>>
>> In the sites I have Linux based fileservers as domain members and
>> Windows based clients. Somehow, it's not possible anymore to log into
>> some of the file servers. On Windows, the Client just asks
>> for username
>> + password, and if you give both, it won't get accepted.
>>
>> On the file server, I get these log entrys:
>>
>> [2021/04/29 09:39:37.439432, 1]
>> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>> gss_accept_sec_context failed with [ Miscellaneous failure (see
>> text): Decrypt integrity check failed for checksum type
>> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
>> [2021/04/29 09:39:37.439817, 1]
>> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>
>> wbinfo -u also returns empty on the file server, but not on
>> any of the
>> DCs. I'm a bit puzzled and don't really know what to do/ how
>> to debug.
>> Has anyone any idea how to debug this situation any further?
>>
>> - Arne
>>
>> ====== krb5.conf - same on all servers
>>
>> [libdefaults]
>> default_realm = INT.SAMDOM.DE
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> ====== smb.conf fore the DC ========
>>
>> # Global parameters
>> [global]
>> workgroup = SAMDOM
>> realm = int.samdom.de
>> netbios name = ADDC08
>> server role = active directory domain controller
>> dns forwarder = 10.1.1.1
>> idmap_ldb:use rfc2307 = yes
>> server signing = Auto
>> allow dns updates = nonsecure
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/int.samdom.de/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> ===== smb.conf on one of the FS ====
>>
>> [global]
>> netbios name = ADFS01
>> security = ADS
>> workgroup = SAMDOM
>> realm = INT.SAMDOM.DE
>>
>> logfile = /var/log/samba/%m.log
>> log level = 1
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>> # idmap config for domain SAMDOM
>> idmap config SAMDOM:backend = ad
>> idmap config SAMDOM:schema_mode = rfc2307
>> idmap config SAMDOM:range = 10000-99999
>>
>> # Use settings from AD for login shell and home directory
>> winbind nss info = rfc2307
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>>
>> kerberos method = secrets and keytab
>> dedicated keytab file = /etc/krb5.keytab
>>
>> # fileshare options
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>>
>> # test share
>>
>> [test]
>> path = /srv/samba/test
>> read only = no
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>
More information about the samba
mailing list