[Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED

Oliver Werner oliver.werner at kontrast.de
Fri Sep 30 10:24:25 UTC 2016 

Hi Louis,

i have checked my /var/tmp

But there is nothing like host_ or other for kerberos inside.

ls -lisa /var/tmp/
 2  4 drwxrwxrwt  3 root root  4096 Sep 25 08:39 .
 2  4 drwxr-xr-x 13 root root  4096 Jun 20  2013 ..
11 16 drwx------  2 root root 16384 Aug  9  2012 lost+found


In /tmp i can see  4 krb5cc files for users there has used kerberos on this member. So this look ok between Client and Fileserver. But not between Member an DC

For recreate keytab i can use this manual?
https://wiki.samba.org/index.php/Generating_Keytabs <https://wiki.samba.org/index.php/Generating_Keytabs>



OLIVER WERNER
Systemadministrator



> Am 30.09.2016 um 09:17 schrieb L.P.H. van Belle via samba <samba at lists.samba.org>:
> 
> Hai Oliver, 
> 
>  
> 
> Yes, thats ook pretty standard. 
> 
> 
> On this questiosn. 
> 
>> thats the only one kerberos cache file in /tmp right now.
>> looks like kerberos does not renew the ticket :(?
> 
> 
> 
> Do you have something like :  ( look in /var/tmp ) 
> 
>  
> 
> These are the tickes generated by the server. 
> 
> -rw-------  1 root  root   488 Sep 27 10:05 host_0
> 
> -rw-------  1 proxy proxy 9646 Sep 30 09:05 HTTP_13
> 
>  
> 
> obvious my proxy server  ;-)  
> 
> Can you check? 
> 
> You can have a peak in thes files.  ( on debian jessie this is ) 
> 
>  
> 
> You can try recreating you keytab file and set “may delicate kerberos” on the computer account first. 
> 
> And see what happens. 
> 
>  
> 
> I’ll have a good look at you logs bit later, people here need help..  
> 
>  
> 
>  
> 
> Greetz, 
> 
>  
> 
> Llouis
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] 
> Verzonden: vrijdag 30 september 2016 9:03
> Aan: Oliver Werner
> CC: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED
> 
> 
>  
> 
> hi,
> 
>  
> 
> 
> now i have changes the realm from hq.kontrast to HQ.KONTRAST
> 
> 
>  
> 
> 
> Restart samba and winbind on all DCs and Members
> 
> 
>  
> 
> 
> But thats same issue. Lost connection to DCs and need to Restart winbind on my Member.
> 
> 
>  
> 
> 
> my DCs have also the krb.conf like this. is it correct?
> 
> 
>  
> 
> 
>  
> 
> 
> [libdefaults]
>   default_realm = HQ.KONTRAST
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
> 
>  
> 
> 
>  
> 
> 
>  
> 
> 
>  
> 
> OLIVER WERNER
> Systemadministrator
> 
> 
> 
> 
> 
> 
> 
> Am 28.09.2016 um 16:08 schrieb Oliver Werner via samba <samba at lists.samba.org>:
> 
> 
>  
> 
> Hi Louis,
> 
> Thanks for your feedback.
> 
> My krb.conf looks like:
> 
> [libdefaults]
>   default_realm = HQ.KONTRAST
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
> 
> 
> So i change now in smb.conf in UPPER Case and will check this.
> 
> Thx
> OLIVER WERNER
> Systemadministrator
> 
> 
> 
> 
> 
> Am 28.09.2016 um 16:05 schrieb L.P.H. van Belle via samba <samba at lists.samba.org>:
> 
> Hi Oliver , 
> 
> If you config is still the samba as i found in the list. 
> 
> On the member server, in smb.conf 
> Change : realm = hq.kontrast 
> To     : realm = HQ.KONTRAST
> 
> And whats in the krb5.conf of the member server? 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org>] Namens Oliver Werner via
> samba
> Verzonden: woensdag 28 september 2016 15:54
> Aan: Oliver Werner
> CC: samba at lists.samba.org <mailto:samba at lists.samba.org>
> Onderwerp: Re: [Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED
> 
> Any Ideas what i can test for fix the problem with kerberos…?
> 
> 
> 
> 
> 
> 
> 
> Am 27.09.2016 um 09:05 schrieb Oliver Werner via samba
> 
> <samba at lists.samba.org>:
> 
> 
> 
> 
> Hi Rowland,
> 
> i have tested unjion and join again the member. But that looks not
> 
> better :/. Any ideas?
> 
> 
> 
> 
> Best wishes
> OLIVER WERNER
> Systemadministrator
> 
> 
> 
> 
> 
> 
> Am 23.09.2016 um 14:38 schrieb Oliver Werner via samba
> 
> <samba at lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org<mailto:samba at lists.samba.org>>>:
> 
> 
> 
> 
> Yes the file /etc/krb5.keytab is exists.
> 
> You mean this lines?
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    winbind refresh tickets = yes
> 
> there was edits when i join the system.
> OLIVER WERNER
> Systemadministrator
> 
> 
> 
> 
> 
> 
> 
> Am 23.09.2016 um 08:55 schrieb Rowland Penny via samba
> 
> <samba at lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org<mailto:samba at lists.samba.org>>
> <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org<mailto:samba at lists.samba.org>>>>:
> 
> 
> 
> 
> On Fri, 23 Sep 2016 07:25:40 +0200
> Oliver Werner <oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>
> 
> <mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>> <mailto:oliver.werner at kontrast.de<mailto:oliver.werner at kontrast.de>
> <mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>>> <mailto:oliver.werner at kontrast.de<mailto:oliver.werner at kontrast.de>
> <mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>> <mailto:oliver.werner at kontrast.de<mailto:oliver.werner at kontrast.de>
> <mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>>>>> wrote:
> 
> 
> 
> 
> 
> 
> 
> hi,
> 
> now after 10 hours my samba has the next crash and need to restart
> winbind.
> 
> Here are the list/kinit:
> 
> # before kinit
> pl0024:~# klist
> klist: Credentials cache file '/tmp/krb5cc_0' not found
> pl0024:~# kinit Administrator
> Password for Administrator at HQ.KONTRAST <mailto:Administrator at HQ.KONTRAST>:
> pl0024:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at HQ.KONTRAST <mailto:Administrator at HQ.KONTRAST>
> 
> Valid starting       Expires              Service principal
> 23.09.2016 07:21:04  23.09.2016 17:21:04
> krbtgt/HQ.KONTRAST at HQ.KONTRAST <mailto:krbtgt/HQ.KONTRAST at HQ.KONTRAST> renew until 24.09.2016 07:20:56
> 
> thats the only one kerberos cache file in /tmp right now.
> 
> looks like kerberos does not renew the ticket :(?
> OLIVER WERNER
> Systemadministrator
> 
> 
> failing after 10hrs is very probably kerberos related, you should have
> a kerberos cache in /tmp for the machine. Does /etc/krb5.keytab exist
> 
> ?
> 
> 
> 
> Did you have the kereberos lines in smb.conf when you joined the
> machine ?
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> 
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>><https://lists.samba.org/ma <https://lists.samba.org/ma>
> ilman/options/samba <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>>>
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> 
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> 
> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
>  
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list