[Samba] cannot access to linux share from windows

Thu Dec 1 11:21:05 UTC 2016

On Thu, 1 Dec 2016 11:58:00 +0100
Fujisan via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I have upgraded a client and a freeipa server from Fedora 24 to 25
> recently. And I cannot access linux shares located on the F25 client
> from a windows desktop.
> 
> I get these messages:
> 
> [2016/12/01 11:42:19.218759,  1]
> ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab
> failed (Key table name malformed)
> [2016/12/01 11:42:19.218800,  1]
> ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem
> keytab
> - -1765328205
> [2016/12/01 11:42:19.218823,  1]
> ../auth/gensec/gensec_start.c:698(gensec_start_mech)
>   Failed to start GENSEC server mech gse_krb5:
> NT_STATUS_INTERNAL_ERROR [2016/12/01 11:42:19.261611,  1]
> ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab
> failed (Key table name malformed)
> [2016/12/01 11:42:19.261638,  1]
> ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem
> keytab
> - -1765328205
> [2016/12/01 11:42:19.261653,  1]
> ../auth/gensec/gensec_start.c:698(gensec_start_mech)
>   Failed to start GENSEC server mech gse_krb5:
> NT_STATUS_INTERNAL_ERROR [2016/12/01 11:42:19.263330,  2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [smith] -> [smith]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2016/12/01 11:42:19.263380,  2]
> ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_NO_SUCH_USER
> [2016/12/01 11:42:19.270531,  1]
> ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab
> failed (Key table name malformed)
> [2016/12/01 11:42:19.270562,  1]
> ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem
> keytab
> - -1765328205
> [2016/12/01 11:42:19.270586,  1]
> ../auth/gensec/gensec_start.c:698(gensec_start_mech)
>   Failed to start GENSEC server mech gse_krb5:
> NT_STATUS_INTERNAL_ERROR [2016/12/01 11:42:19.313479,  1]
> ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab
> failed (Key table name malformed)
> [2016/12/01 11:42:19.313506,  1]
> ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem
> keytab
> - -1765328205
> [2016/12/01 11:42:19.313523,  1]
> ../auth/gensec/gensec_start.c:698(gensec_start_mech)
>   Failed to start GENSEC server mech gse_krb5:
> NT_STATUS_INTERNAL_ERROR [2016/12/01 11:42:19.315256,  2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [smith] -> [smith]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2016/12/01 11:42:19.315291,  2]
> ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_NO_SUCH_USER
> 
> Also from the F25 server, I have the following when I run smbclient
> 
> # smbclient -k -L f25desktop.mydomain
> lp_load_ex: changing to config backend registry
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> But if i run it with a F24 desktop, it works:
> 
> # smbclient -k -L f24desktop.mydomain
> lp_load_ex: changing to config backend registry
> Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.7]
> 
>     Sharename       Type      Comment
>     ---------       ----      -------
>     IPC$            IPC       IPC Service (Samba Server Version 4.4.7)
>     data            Disk      /data on f24desktop
>     data2           Disk      /data2 on f24desktop
>     data3           Disk      /data3 on f24desktop
>     backup          Disk      /backup on f24desktop
> [...]
> 
> 
> net conf list on the f25desktop gives:
> 
> # net conf list
> [global]
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN
>     netbios name = F25SERVER
>     server string = Samba Server Version %v
>     kerberos method = dedicated keytab
>     dedicated keytab file = FILE:/etc/samba/samba.keytab
>     log file = /var/log/samba/log.%m
>     rpc_server:epmapper = external
>     rpc_server:lsarpc = external
>     rpc_server:lsass = external
>     rpc_server:lsasd = external
>     rpc_server:samr = external
>     rpc_server:netlogon = external
>     rpc_server:tcpip = yes
>     rpc_daemon:epmd = fork
>     rpc_daemon:lsasd = fork
>     security = user
>     map untrusted to domain = Yes
>     smb ports = 139 445
>     log level = 2
> 
> [data]
>     comment = /data/beauduin on f25desktop
>     path = /data/smith
>     create mask = 0644
>     read only = no
> 
> [data2]
>     comment = /data2/beauduin on f25desktop
>     path = /data2/smith
>     create mask = 0644
>     read only = no
> 
> [data3]
>     comment = /data3 on f25desktop
>     path = /data3/smith
>     create mask = 0644
>     read only = no
> 
> [backup]
>     comment = /backup on f25desktop
>     path = /backup
>     read only = no
> 
> 
> on the F25 server and desktop, i have the following packages
> installed:
> 
> samba-4.5.1-1.fc25.x86_64
> samba-client-4.5.1-1.fc25.x86_64
> samba-client-libs-4.5.1-1.fc25.x86_64
> samba-common-4.5.1-1.fc25.noarch
> samba-common-libs-4.5.1-1.fc25.x86_64
> samba-common-tools-4.5.1-1.fc25.x86_64
> samba-libs-4.5.1-1.fc25.x86_64
> samba-python-4.5.1-1.fc25.x86_64
> samba-test-4.5.1-1.fc25.x86_64
> samba-test-libs-4.5.1-1.fc25.x86_64
> samba-winbind-4.5.1-1.fc25.x86_64
> samba-winbind-clients-4.5.1-1.fc25.x86_64
> samba-winbind-krb5-locator-4.5.1-1.fc25.x86_64
> samba-winbind-modules-4.5.1-1.fc25.x86_64
> system-config-samba-1.2.100-5.fc24.noarch
> system-config-samba-docs-1.0.9-9.fc24.noarch
> 
> Any idea what is wrong?
> 
> Regards,
> Fuji

The default value for 'ntlm auth' got changed from
'yes' to 'no' from Samba 4.5.0. Could this be your problem ?

Rowland