[Samba] samba-4.18.6: keytab issues
Stefan G. Weichinger
lists at xunil.at
Wed Sep 27 11:20:37 UTC 2023
Yes, I google all around ...
Debian 12.1, samba-4.18.6 from backports, AD-member server / fileserver.
Customer tells me they have issues with accessing software on a share
called "myprog" (see below).
keytab issues logged, maybe related maybe not
Tried things around flushing and "net ads keytab" ...
Access as domain admin (trying to check the share from "computer
management" on a Windows server) fails as well. Although there is this
parameter "min domain uid = 0" in smb.conf. I don't see in in the output
of "samba-tool testparm" below.
# smb.conf
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
log level = 2
logon home = ""
logon path = ""
map to guest = Bad User
max log size = 150000
netbios name = SERVER
printcap name = /dev/null
realm = MYDOM.AT
security = ADS
template homedir = /mnt/samba/Daten/%U
template shell = /bin/bash
username map = /etc/samba/smbusers
winbind nss info = template
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = BUERO
full_audit:priority = notice
full_audit:facility = local5
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:failure = connect
full_audit:prefix = %u|%I|%m|%S
idmap config buero:range = 10000-99999
idmap config buero:backend = rid
idmap config *:range = 2000-9999
idmap config *:backend = tdb
hosts allow = localhost 192.168.16. 172.32.99.
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
### the relevant share
[myprog]
comment = xy-Programme
guest ok = Yes
path = /mnt/samba/xy
read only = No
acl_xattr:ignore system acls = yes
### log entries
[2023/09/27 13:04:24.906003, 1]
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
[2023/09/27 13:04:24.941867, 1]
../../source3/librpc/crypto/gse.c:712(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
### klist
# net ads keytab list
Vno Type Principal
2 aes128-cts-hmac-sha1-96 cifs/PRE01SVDEB01 at mydom.AT
2 arcfour-hmac-md5 cifs/PRE01SVDEB01 at mydom.AT
2 aes256-cts-hmac-sha1-96 cifs/SERVER at mydom.AT
2 aes256-cts-hmac-sha1-96 cifs/PRE01SVDEB01 at mydom.AT
2 aes128-cts-hmac-sha1-96
cifs/server.mydom.at at mydom.AT
2 aes128-cts-hmac-sha1-96 cifs/SERVER at mydom.AT
2 arcfour-hmac-md5
cifs/server.mydom.at at mydom.AT
2 arcfour-hmac-md5 cifs/SERVER at mydom.AT
2 aes256-cts-hmac-sha1-96
cifs/server.mydom.at at mydom.AT
More information about the samba
mailing list