[Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED

L.P.H. van Belle belle at bazuin.nl
Fri Sep 30 11:47:58 UTC 2016 

For the recreating keytab on the member, 

Backup the old keytab. 

And i use : net ads keytab create -U administrator

 

After recreating, check the content. 

klist -kt /etc/krb5.keytab 

 

then reboot the server to make sure everything is freshly loaded. 

 

And can you set  in the member smb.conf

 

    server signing = mandatory

    ntlm auth = no

or do you really need ntlm_auth = yes

 

and tip. 

On the client change the interface bind and see if that helps. 

 

    interfaces = 192.168.x.x 127.0.0.1

    bind interfaces only = yes

this is how i run all my client, i had problems with interface names. 

Some time ago, but this works always so i kept it. 

 

 

Greetz, 

 

Louis

 

 

 

 

 


Van: Oliver Werner [mailto:oliver.werner at kontrast.de] 
Verzonden: vrijdag 30 september 2016 12:24
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED


 

Hi Louis,

 


i have checked my /var/tmp


 


But there is nothing like host_ or other for kerberos inside.


 


ls -lisa /var/tmp/


 2  4 drwxrwxrwt  3 root root  4096 Sep 25 08:39 .


 2  4 drwxr-xr-x 13 root root  4096 Jun 20  2013 ..


11 16 drwx------  2 root root 16384 Aug  9  2012 lost+found


 


 


In /tmp i can see  4 krb5cc files for users there has used kerberos on this member. So this look ok between Client and Fileserver. But not between Member an DC


 


For recreate keytab i can use this manual?


https://wiki.samba.org/index.php/Generating_Keytabs


 


 


 


OLIVER WERNER
Systemadministrator







Am 30.09.2016 um 09:17 schrieb L.P.H. van Belle via samba <samba at lists.samba.org>:


 

Hai Oliver, 

 

Yes, thats ook pretty standard. 


On this questiosn. 




thats the only one kerberos cache file in /tmp right now.
looks like kerberos does not renew the ticket :(?




Do you have something like :  ( look in /var/tmp ) 

 

These are the tickes generated by the server. 

-rw-------  1 root  root   488 Sep 27 10:05 host_0

-rw-------  1 proxy proxy 9646 Sep 30 09:05 HTTP_13

 

obvious my proxy server  ;-)  

Can you check? 

You can have a peak in thes files.  ( on debian jessie this is ) 

 

You can try recreating you keytab file and set “may delicate kerberos” on the computer account first. 

And see what happens. 

 

I’ll have a good look at you logs bit later, people here need help..  

 

 

Greetz, 

 

Llouis

 

 

 

 


Van: Oliver Werner [mailto:oliver.werner at kontrast.de] 
Verzonden: vrijdag 30 september 2016 9:03
Aan: Oliver Werner
CC: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED


 

hi,

 


now i have changes the realm from hq.kontrast to HQ.KONTRAST


 


Restart samba and winbind on all DCs and Members


 


But thats same issue. Lost connection to DCs and need to Restart winbind on my Member.


 


my DCs have also the krb.conf like this. is it correct?


 


 


[libdefaults]
  default_realm = HQ.KONTRAST
  dns_lookup_realm = false
  dns_lookup_kdc = true

 


 


 


 

OLIVER WERNER
Systemadministrator







Am 28.09.2016 um 16:08 schrieb Oliver Werner via samba <samba at lists.samba.org>:


 

Hi Louis,

Thanks for your feedback.

My krb.conf looks like:

[libdefaults]
  default_realm = HQ.KONTRAST
  dns_lookup_realm = false
  dns_lookup_kdc = true


So i change now in smb.conf in UPPER Case and will check this.

Thx
OLIVER WERNER
Systemadministrator





Am 28.09.2016 um 16:05 schrieb L.P.H. van Belle via samba <samba at lists.samba.org>:

Hi Oliver , 

If you config is still the samba as i found in the list. 

On the member server, in smb.conf 
Change : realm = hq.kontrast 
To     : realm = HQ.KONTRAST

And whats in the krb5.conf of the member server? 


Greetz, 

Louis





-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org>] Namens Oliver Werner via
samba
Verzonden: woensdag 28 september 2016 15:54
Aan: Oliver Werner
CC: samba at lists.samba.org <mailto:samba at lists.samba.org>
Onderwerp: Re: [Samba] Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED

Any Ideas what i can test for fix the problem with kerberos…?







Am 27.09.2016 um 09:05 schrieb Oliver Werner via samba

<samba at lists.samba.org>:




Hi Rowland,

i have tested unjion and join again the member. But that looks not

better :/. Any ideas?




Best wishes
OLIVER WERNER
Systemadministrator






Am 23.09.2016 um 14:38 schrieb Oliver Werner via samba

<samba at lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org<mailto:samba at lists.samba.org>>>:




Yes the file /etc/krb5.keytab is exists.

You mean this lines?

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = yes

there was edits when i join the system.
OLIVER WERNER
Systemadministrator







Am 23.09.2016 um 08:55 schrieb Rowland Penny via samba

<samba at lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org<mailto:samba at lists.samba.org>>
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org<mailto:samba at lists.samba.org>>>>:




On Fri, 23 Sep 2016 07:25:40 +0200
Oliver Werner <oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>

<mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>> <mailto:oliver.werner at kontrast.de<mailto:oliver.werner at kontrast.de>
<mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>>> <mailto:oliver.werner at kontrast.de<mailto:oliver.werner at kontrast.de>
<mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>> <mailto:oliver.werner at kontrast.de<mailto:oliver.werner at kontrast.de>
<mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>>>>> wrote:







hi,

now after 10 hours my samba has the next crash and need to restart
winbind.

Here are the list/kinit:

# before kinit
pl0024:~# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
pl0024:~# kinit Administrator
Password for Administrator at HQ.KONTRAST <mailto:Administrator at HQ.KONTRAST>:
pl0024:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at HQ.KONTRAST <mailto:Administrator at HQ.KONTRAST>

Valid starting       Expires              Service principal
23.09.2016 07:21:04  23.09.2016 17:21:04
krbtgt/HQ.KONTRAST at HQ.KONTRAST <mailto:krbtgt/HQ.KONTRAST at HQ.KONTRAST> renew until 24.09.2016 07:20:56

thats the only one kerberos cache file in /tmp right now.

looks like kerberos does not renew the ticket :(?
OLIVER WERNER
Systemadministrator


failing after 10hrs is very probably kerberos related, you should have
a kerberos cache in /tmp for the machine. Does /etc/krb5.keytab exist

?



Did you have the kereberos lines in smb.conf when you joined the
machine ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>

<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>
<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>><https://lists.samba.org/ma <https://lists.samba.org/ma>
ilman/options/samba <https://lists.samba.org/mailman/options/samba<https://lists.samba.org/mailman/options/samba>>>>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>

<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>

<https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




 

More information about the samba mailing list