[Samba] SOLVED(I hope): Difficulties with Windows XP: failed to find cifs/fileserver.y.z at Y.Z in keytab (arcfour-hmac-md5)
rpenny at samba.org
Mon Jan 16 17:25:32 UTC 2017
On Mon, 16 Jan 2017 09:07:35 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:
> Samba - General mailing list wrote
> >> [2017/01/11 16:42:34.522067, 1]
> >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
> >> gss_accept_sec_context failed with [ Miscellaneous failure (see
> >> text): Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1)
> >> in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >> [2017/01/11 16:42:34.522095, 1]
> >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
> >> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > Looks like: https://bugzilla.samba.org/show_bug.cgi?id=12262
> Thank you Mark
> but it doesn't feels the same to me...
> In subsequent tests I wasn't able any more even to join. The first
> time was a lucky one, woodoo.
> I discovered, that the generated smb.conf was not enough for an AD-DC.
> Despite having:
> server role = active directory domain controller
> ... the default settings for:
> domain logons = no (?)
> domain master = auto (aka equally NO)
> local master = yes
> (not specifically mentioned in the generated smb.config)
> ... where enough for Windows7 and Windows8 (?), but not for Windows XP
> After setting
> domain master = YES
> ... I could join the WindowsXP and login.
> I also added then (to be sure ;) domain logons = YES.
> This seems now to work. I'll test tomorrow joins with another clients.
> What remains, is the question, why a "server role = active directory
> domain controller" doesn't enable "domain logons" by default?
Can we see your smb.conf, the default for 'domain master' is auto and I
have never had to change it.
More information about the samba