[Samba] samba4 ticket server cifs/ not found in keytab

listmail mailinglist at northstate.net
Thu Apr 26 13:10:40 UTC 2018 

example is sanitized as required

the samba host is a member of AD.INTERNALTWO.COM

when accessing from a client member of AD.INTERNALONE it is appending 
@AD.INTERNALONE to the SPN request(??) and I get the error in 
smbd.<client ip>
2018/04/25 17:11:58.506095,  1] 
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
   gss_accept_sec_context failed with [Unspecified GSS failure.  Minor 
code may provide more information: Request ticket server 
cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket 
kvno 3)]


i tried "ignore_acceptor_hostname = true" in krb5.conf, but it has no 
effect


workarounds:
if i access the samba host by IP address or nas1dev.AD.INTERNALTWO.COM 
it works
access from a linux host using the nas1dev.external.com name works



any suggestions?




smb.conf excerpt:
[global]
         workgroup = INTERNALTWO
         realm = AD.INTERNALTWO.COM
         netbios name = nas1dev-rhel7
         server string = nas1dev-rhel7
         security = ADS
         kerberos method = secrets and keytab
         dedicated keytab file = /etc/krb5.keytab
         winbind refresh tickets = yes
         log file = /var/log/samba/smbd.%m
         max log size = 500
         min protocol = SMB2
         min protocol = NT1
         lanman auth = No
         load printers = No
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
         domain master = No
         winbind enum users = Yes
         #winbind use default domain = Yes
         winbind expand groups = 5
         #winbind normalize names = no
         idmap config * : range = 1000000-1999999
         idmap config * : backend = tdb
         idmap config INTERNALTWO range = 1000000-1999999
         idmap config INTERNALTWO : backend = ads
         idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
         idmap config NAS1DEV-RHEL7 : backend = tdb
         log level = 1 auth:3 smb:3 winbind:5
         ldapsam:trusted = yes
         restrict anonymous = 2
         create mask = 0770
         force create mode = 0770
         #obs #security mask = 0000
         #obs #force security mode = 0770
         directory mask = 2770
         force directory mode = 2770
         #obs #directory security mask = 0000
         #obs #force directory security mode = 2770
         hide special files = Yes
         hide unreadable = Yes
         veto files = /*.eml/*.nws/riched20.dll/*.{*}/
         writeable = yes
         #ldap ssl = start tls
         #ldap ssl ads = yes
         wins server = 192.192.192.99

More information about the samba mailing list