[Samba] samba-4.18.6: keytab issues

Stefan G. Weichinger lists at xunil.at
Wed Sep 27 11:20:37 UTC 2023 

Yes, I google all around ...

Debian 12.1, samba-4.18.6 from backports, AD-member server / fileserver.

Customer tells me they have issues with accessing software on a share 
called "myprog" (see below).

keytab issues logged, maybe related maybe not

Tried things around flushing and "net ads keytab" ...

Access as domain admin (trying to check the share from "computer 
management" on a Windows server) fails as well. Although there is this 
parameter "min domain uid = 0" in smb.conf. I don't see in in the output 
of "samba-tool testparm" below.



# smb.conf

# Global parameters
[global]
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	log file = /var/log/samba/%m.log
	log level = 2
	logon home = ""
	logon path = ""
	map to guest = Bad User
	max log size = 150000
	netbios name = SERVER
	printcap name = /dev/null
	realm = MYDOM.AT
	security = ADS
	template homedir = /mnt/samba/Daten/%U
	template shell = /bin/bash
	username map = /etc/samba/smbusers
	winbind nss info = template
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = BUERO
	full_audit:priority = notice
	full_audit:facility = local5
	full_audit:success = mkdir rmdir read pread write pwrite rename unlink
	full_audit:failure = connect
	full_audit:prefix = %u|%I|%m|%S
	idmap config buero:range = 10000-99999
	idmap config buero:backend = rid
	idmap config *:range = 2000-9999
	idmap config *:backend = tdb
	hosts allow = localhost 192.168.16. 172.32.99.
	map acl inherit = Yes
	store dos attributes = Yes
	vfs objects = acl_xattr


### the relevant share


[myprog]
	comment = xy-Programme
	guest ok = Yes
	path = /mnt/samba/xy
	read only = No
	acl_xattr:ignore system acls = yes



### log entries


[2023/09/27 13:04:24.906003,  1] 
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
   gensec_spnego_server_negTokenInit_step: gse_krb5: parsing 
NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
[2023/09/27 13:04:24.941867,  1] 
../../source3/librpc/crypto/gse.c:712(gse_get_server_auth_token)
   gss_accept_sec_context failed with [ Miscellaneous failure (see 
text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab 
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]

### klist

# net ads  keytab list
Vno  Type                                        Principal
   2  aes128-cts-hmac-sha1-96                     cifs/PRE01SVDEB01 at mydom.AT
   2  arcfour-hmac-md5                            cifs/PRE01SVDEB01 at mydom.AT
   2  aes256-cts-hmac-sha1-96                     cifs/SERVER at mydom.AT
   2  aes256-cts-hmac-sha1-96                     cifs/PRE01SVDEB01 at mydom.AT
   2  aes128-cts-hmac-sha1-96 
cifs/server.mydom.at at mydom.AT
   2  aes128-cts-hmac-sha1-96                     cifs/SERVER at mydom.AT
   2  arcfour-hmac-md5 
cifs/server.mydom.at at mydom.AT
   2  arcfour-hmac-md5                            cifs/SERVER at mydom.AT
   2  aes256-cts-hmac-sha1-96 
cifs/server.mydom.at at mydom.AT

More information about the samba mailing list