[Samba] Domain admin can't access share on samba dm-server
L.P.H. van Belle
belle at bazuin.nl
Wed Dec 29 14:07:50 UTC 2021
First..
Use FQDN's in you shares.
Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows)
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
klist -ke shows? Can you show the full output.
For cifs (and nfs) you need the spn format like this.
cifs/hostname.internal.domain.tld at REALM.TLD
(net ads adds the REALM part automaticly)
If your host is using an CNAME for cifs then you need to add,
cifs/cname.internal.domain.tld at REALM.TLD also
And its really adviced to give these server a PTR record.
How i do it.
And ALWAYS backup you krb5.keytab file first.
Dont know why sometimes ( in my case ) the KNVO is off
When that happens i restore the original keytab file.
cp /etc/krb5.keytab{,.backup}
kinit Administrator
net ads keytab add_update_ads cifs/$(hostname -f)
Removing wrong entries i do like this, and maybe
someone has beter ideas on this, please add it..
!! MAKE THAT BACKUP FIRST !!
ktutil
rkt /etc/krb5.keytab
? For help.
wkt /etc/krb5.keytab.new
cp /etc/krb5.keytab.new /etc/krb5.keytab
!! If you write the keytab as show above directly into /etc/krb5.keytab
You get everything double.
When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are wrong.
delent 21 << only one you need.. Just repeat it untill its all gone.
Hope this helped a bit.
Ps. Im picky but..
> idmap config buero:range = 10000-99999
> idmap config buero:backend = rid
bero should be BUERO
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou
Points to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nbte/6f06fa0e-1dc4-4c41-accb-355aaf20546d
Quote from that last page : NetBIOS names are inherently case-sensitive.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: woensdag 29 december 2021 13:03
> Aan: samba
> Onderwerp: [Samba] Domain admin can't access share on samba dm-server
>
>
> windows2019 server, logged in as domain admin
>
> accessing \\pre01svdeb01 fails, I see this in the samba logs:
>
> [2021/12/29 12:57:54.754005, 1]
> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenI
> nit_step)
> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> [2021/12/29 12:57:54.769715, 1]
> ../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab
> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> [2021/12/29 12:57:54.769829, 1]
> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenI
> nit_step)
>
> googled, tried:
>
> # net ads keytab add_update_ads cifs/pre01svdeb01 at mydom.AT -U
> Administrator
>
> Doesn't help
>
> net ads keytab list
>
> shows multiple lines containing "cifs/pre01svdeb01 at mydom.AT"
>
> also with "aes256-cts-hmac-sha1-96"
>
> when I look closer there are 2 sets of lines, three in uppercase like:
>
> 2 aes256-cts-hmac-sha1-96
> cifs/PRE01SVdeb01 at MYDOM.AT
>
> three in lower case:
>
> 2 aes256-cts-hmac-sha1-96
> cifs/pre01svdeb01 at MYDOM.AT
>
> - what should I do?
>
> This is samba Version 4.14.11-Debian.
>
> # Global parameters
> [global]
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> load printers = No
> log file = /var/log/samba/%m.log
> logon home = ""
> logon path = ""
> map to guest = Bad User
> max log size = 150000
> netbios name = SERVER
> printcap name = /dev/null
> realm = MYDOM.AT
> security = ADS
> template homedir = /mnt/samba/Daten/%U
> template shell = /bin/bash
> username map = /etc/samba/smbusers
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = BUERO
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:success = mkdir rmdir read pread write
> pwrite rename unlink
> full_audit:failure = connect
> full_audit:prefix = %u|%I|%m|%S
> idmap config buero:range = 10000-99999
> idmap config buero:backend = rid
> idmap config *:range = 2000-9999
> idmap config * : backend = tdb
> hosts allow = localhost 192.168.16. 172.32.99.
> map acl inherit = Yes
> printing = bsd
> vfs objects = acl_xattr
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list