[Samba] Failed to find cifs/foo.bar in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]

[Jeremy Allison]

On Thu, Sep 29, 2016 at 05:04:24PM +0500, Eugene M. Zheganin via samba wrote:
> Hi.
> 
> I'm using Samba 4.3.11 as a domain member on FreeBSD 10.x.
> 
> Some of my users (around 1%) are experiencing problems from time to
> time, browsing this server's shares in Windows Explorer - it starts to
> ask for the password. It doesn't ask the password while accesssing it
> via it's IP address, and I see in its logs the following (when accessing
> it via its name):

When you access via IP then it's using NTLM so you
don't get the krb5 issue you're seeing here.

> [2016/09/20 10:54:31.451826,  1]
> ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token)
>   gss_accept_sec_context failed with [ Miscellaneous failure (see text):
> Failed to find cifs/wd.norma.com at NORMA.COM(kvno 2) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> 
> (yup, I know norma.com isn't legitimate, but it's internal domain name).
> 
> How can I debug and solve this ?
> norma.com is resolving from this machine, so does wd.norma.com. AD
> controller shows the cifs/wd.norma.com at NORMA.COM is mapped to the wd
> machine (it wasn't, I mapped it by hand, but nothing changed).
> 
> I googled this issue a bit, but didn't find any appropriate solution.
> I'm not using a dedicated keytab for samba (I tried once, to solve this
> issue as was proposed in some article, but it made things even worse).

Oh I've been trying to track down THIS EXACT ISSUE this week
up at Microsoft !!!!! (But I can't get it to reproduce).

It seems to be when winbindd is changing the machine password.

As a work-around you can try setting "machine password timeout = 0"
to prevent winbindd changing the password.