[Samba] Domain admin can't access share on samba dm-server

L.P.H. van Belle belle at bazuin.nl
Wed Dec 29 14:07:50 UTC 2021 

First.. 

Use FQDN's in you shares. 
Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows) 
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default 


klist -ke shows? Can you show the full output. 

For cifs (and nfs) you need the spn format like this. 
cifs/hostname.internal.domain.tld at REALM.TLD
(net ads adds the REALM part automaticly)

If your host is using an CNAME for cifs then you need to add, 
cifs/cname.internal.domain.tld at REALM.TLD also 

And its really adviced to give these server a PTR record. 

How i do it. 
And ALWAYS backup you krb5.keytab file first.
Dont know why sometimes ( in my case ) the KNVO is off 
When that happens i restore the original keytab file. 

cp /etc/krb5.keytab{,.backup}
kinit Administrator
net ads keytab add_update_ads cifs/$(hostname -f)

Removing wrong entries i do like this, and maybe 
someone has beter ideas on this, please add it.. 

!! MAKE THAT BACKUP FIRST !! 
ktutil
rkt /etc/krb5.keytab
? For help. 
wkt /etc/krb5.keytab.new 

cp /etc/krb5.keytab.new  /etc/krb5.keytab

!! If you write the keytab as show above directly into /etc/krb5.keytab 
You get everything double. 

When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are wrong. 
delent 21  << only one you need.. Just repeat it untill its all gone. 

Hope this helped a bit. 

Ps. Im picky but..
>	idmap config buero:range = 10000-99999
> 	idmap config buero:backend = rid 

bero should be BUERO 

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou 
Points to  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nbte/6f06fa0e-1dc4-4c41-accb-355aaf20546d
Quote from that last page : NetBIOS names are inherently case-sensitive.



Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: woensdag 29 december 2021 13:03
> Aan: samba
> Onderwerp: [Samba] Domain admin can't access share on samba dm-server
> 
> 
> windows2019 server, logged in as domain admin
> 
> accessing \\pre01svdeb01 fails, I see this in the samba logs:
> 
> [2021/12/29 12:57:54.754005,  1] 
> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenI
> nit_step)
>    gensec_spnego_server_negTokenInit_step: gse_krb5: parsing 
> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> [2021/12/29 12:57:54.769715,  1] 
> ../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [ Miscellaneous failure (see 
> text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab 
> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> [2021/12/29 12:57:54.769829,  1] 
> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenI
> nit_step)
> 
> googled, tried:
> 
> # net ads keytab add_update_ads   cifs/pre01svdeb01 at mydom.AT -U 
> Administrator
> 
> Doesn't help
> 
> net ads keytab list
> 
> shows multiple lines containing "cifs/pre01svdeb01 at mydom.AT"
> 
> also with "aes256-cts-hmac-sha1-96"
> 
> when I look closer there are 2 sets of lines, three in uppercase like:
> 
>    2  aes256-cts-hmac-sha1-96                     
> cifs/PRE01SVdeb01 at MYDOM.AT
> 
> three in lower case:
> 
>    2  aes256-cts-hmac-sha1-96                     
> cifs/pre01svdeb01 at MYDOM.AT
> 
> - what should I do?
> 
> This is samba Version 4.14.11-Debian.
> 
> # Global parameters
> [global]
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> 	load printers = No
> 	log file = /var/log/samba/%m.log
> 	logon home = ""
> 	logon path = ""
> 	map to guest = Bad User
> 	max log size = 150000
> 	netbios name = SERVER
> 	printcap name = /dev/null
> 	realm = MYDOM.AT
> 	security = ADS
> 	template homedir = /mnt/samba/Daten/%U
> 	template shell = /bin/bash
> 	username map = /etc/samba/smbusers
> 	winbind offline logon = Yes
> 	winbind refresh tickets = Yes
> 	winbind use default domain = Yes
> 	workgroup = BUERO
> 	full_audit:priority = notice
> 	full_audit:facility = local5
> 	full_audit:success = mkdir rmdir read pread write 
> pwrite rename unlink
> 	full_audit:failure = connect
> 	full_audit:prefix = %u|%I|%m|%S
> 	idmap config buero:range = 10000-99999
> 	idmap config buero:backend = rid
> 	idmap config *:range = 2000-9999
> 	idmap config * : backend = tdb
> 	hosts allow = localhost 192.168.16. 172.32.99.
> 	map acl inherit = Yes
> 	printing = bsd
> 	vfs objects = acl_xattr
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list