[Samba] SOLVED(aproximative?): Difficulties with Windows XP: failed to find cifs/fileserver.y.z at Y.Z in keytab (arcfour-hmac-md5)
rawi
only4com at web.de
Tue Jan 17 11:03:28 UTC 2017
Samba - General mailing list wrote
> On Mon, 16 Jan 2017 09:07:35 -0800 (PST)
> rawi via samba <
> samba at .samba
> > wrote:
>
>> Samba - General mailing list wrote
>> >> [2017/01/11 16:42:34.522067, 1]
>> >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>> >> gss_accept_sec_context failed with [ Miscellaneous failure (see
>> >> text): Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1)
>> >> in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> >> [2017/01/11 16:42:34.522095, 1]
>> >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>> >> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> >
>> > Looks like: https://bugzilla.samba.org/show_bug.cgi?id=12262
>>
>> Thank you Mark
>>
>> but it doesn't feels the same to me...
>>
>> In subsequent tests I wasn't able any more even to join. The first
>> time was a lucky one, woodoo.
>>
>> I discovered, that the generated smb.conf was not enough for an AD-DC.
>>
>> Despite having:
>>
>> server role = active directory domain controller
>>
>> ... the default settings for:
>>
>> domain logons = no (?)
>> domain master = auto (aka equally NO)
>> local master = yes
>>
>> (not specifically mentioned in the generated smb.config)
>>
>> ... where enough for Windows7 and Windows8 (?), but not for Windows XP
>>
>> After setting
>>
>> domain master = YES
>>
>> ... I could join the WindowsXP and login.
>>
>> I also added then (to be sure ;) domain logons = YES.
>>
>> This seems now to work. I'll test tomorrow joins with another clients.
>>
>> What remains, is the question, why a "server role = active directory
>> domain controller" doesn't enable "domain logons" by default?
>>
>> Regards
>>
>> rawi
>>
>
>
> Can we see your smb.conf, the default for 'domain master' is auto and I
> have never had to change it.
>
> Rowland
Rowland, thank you
Please note the comments starting with two '#'. They give info about
erroneous behavior I encontered.
The manual says that "domain master = auto" means "NO", if "domain logons =
NO" and this is default.
Please note also the behavior of "hosts allow ... except" on the AD-DC
here it comes...
root at hg-dc1:/etc/samba# cat smb.conf
## Global parameters
[global]
workgroup = HUMGEN
realm = HUMGEN.0ZONE
netbios name = HG-DC1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc
#dnsupdate
## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone
## and contains all I have, inclusive printer and lab devices, which are not
in the domain
## all dns tests are positive and all clients get DNS
idmap_ldb:use rfc2307 = yes
dns-nameservers 127.0.0.1
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile =
## WITHOUT THIS no old WindowsXP will find the AD-DC to join,
## even if I've already set the IP of the wins server to the AD-DC in
numerical form
## Error is, that no SRV record could be found for the domain. BUT nslookup
shows manually all needed
## After the join, WindowsXP seems to stay joined and allow further login
## EVEN if I take these configs back
#domain logons = yes
#domain master = yes
#local master = yes
## hosts allow on AD-DC breaks everything.
## No more wbinfo on the DC, no more id or getent passwd on the domain
member
## BUG?
#hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123
## don't show the shares
browseable = no
map to guest = never
## allow no local caching of data on the client
csc policy = disable
hide unreadable = yes
hide dot files = no
## new session kills possible old connection from the same IP. Avoids lock
on files by old connections
reset on zero vc = yes
[netlogon]
path = /var/lib/samba/sysvol/humgen.0zone/scripts
read only = Yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
<<<<< smb.conf AD-DC END
And now as a side note and deja vu for me, look what I wrote in the old
smb.conf (still working since 2009) for a NT-domain wth Samba/smbd version
3.4.0 :)
## samba accepts no new computer in the domain if this
## browse options equals NO ?!
preferred master = yes
local master = yes
domain master = yes
Regards
rawi
--
View this message in context: http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713549.html
Sent from the Samba - General mailing list archive at Nabble.com.
More information about the samba
mailing list