[Samba] samba4 ticket server cifs/ not found in keytab
listmail
mailinglist at northstate.net
Thu Apr 26 13:10:40 UTC 2018
example is sanitized as required
the samba host is a member of AD.INTERNALTWO.COM
when accessing from a client member of AD.INTERNALONE it is appending
@AD.INTERNALONE to the SPN request(??) and I get the error in
smbd.<client ip>
2018/04/25 17:11:58.506095, 1]
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor
code may provide more information: Request ticket server
cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket
kvno 3)]
i tried "ignore_acceptor_hostname = true" in krb5.conf, but it has no
effect
workarounds:
if i access the samba host by IP address or nas1dev.AD.INTERNALTWO.COM
it works
access from a linux host using the nas1dev.external.com name works
any suggestions?
smb.conf excerpt:
[global]
workgroup = INTERNALTWO
realm = AD.INTERNALTWO.COM
netbios name = nas1dev-rhel7
server string = nas1dev-rhel7
security = ADS
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = yes
log file = /var/log/samba/smbd.%m
max log size = 500
min protocol = SMB2
min protocol = NT1
lanman auth = No
load printers = No
printing = bsd
printcap name = /dev/null
disable spoolss = yes
domain master = No
winbind enum users = Yes
#winbind use default domain = Yes
winbind expand groups = 5
#winbind normalize names = no
idmap config * : range = 1000000-1999999
idmap config * : backend = tdb
idmap config INTERNALTWO range = 1000000-1999999
idmap config INTERNALTWO : backend = ads
idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
idmap config NAS1DEV-RHEL7 : backend = tdb
log level = 1 auth:3 smb:3 winbind:5
ldapsam:trusted = yes
restrict anonymous = 2
create mask = 0770
force create mode = 0770
#obs #security mask = 0000
#obs #force security mode = 0770
directory mask = 2770
force directory mode = 2770
#obs #directory security mask = 0000
#obs #force directory security mode = 2770
hide special files = Yes
hide unreadable = Yes
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
writeable = yes
#ldap ssl = start tls
#ldap ssl ads = yes
wins server = 192.192.192.99
More information about the samba
mailing list