[Samba] Samba 4.6.2 member server errors

Rowland Penny rpenny at samba.org
Thu Oct 26 09:11:30 UTC 2017

On Thu, 26 Oct 2017 01:09:00 -0400 (EDT)
me at tdiehl.org wrote:

> Hi,
> On Mon, 23 Oct 2017, Rowland Penny via samba wrote:
> > Unless I missed it, you have never said what OS this is.
> Centos 7.4
> > You said this is the only Unix domain member exhibiting this
> > problem, so you could try the windows fix, wipe the OS and start
> > again ;-)
> >
> > Provided you use the same smb.conf as on the other Unix domain
> > members, you should have no problems.
> > Just back everything up and leave the domain:
> > net ads leave -U Administrator
> OK, so I removed the machine from the domain, uninstalled all of the
> samba packages, cleaned up all of the tdb and ldb, etc. re-installed
> the samba packages and joined the domain.
> I am using the smb.conf I posted previously in this thread.
> That seems to have gotten rid of the original error and winbind now
> goes to sleep. However I now have a new error:
> ==> samba/ <==
> [2017/10/26 00:24:12.116588,
> 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
> gss_accept_sec_context failed with [Unspecified GSS failure.  Minor
> code may provide more information: Request ticket server
> cifs/vfs1.kmg.mydomain.com at KMG.MYDOMAIN.COM not found in keytab
> (ticket kvno 2)]
> The above is showing up in the various samba logs for the machines
> that connect to the server.
> Given that there is no keytab on the machine, this error does not
> make any sense to me. Is there supposed to be a keytab? I do not see
> anything about a keytab in
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> that talks about a keytab.
> Does anyone know how to fix this? I am still looking but so far
> Google has not been helpful.
> Regards,

You do have a keytab, but it is in memory, which explains why you
cannot find it ;-)

However, you wouldn't normally have the cifs SPN in it, so you need to
create a keytab stored on the Unix domain member.

Add these lines to the smb.conf (if they aren't already there):

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = Yes

restart Samba, then run this command:

net ads keytab create -U Administrator

You can check what is the keytab with:

root at devstation:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1   27 host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM
   2   27       host/DEVSTATION at SAMDOM.EXAMPLE.COM

Press 'q' to exit.


More information about the samba mailing list