[Samba] samba4 ticket server cifs/ not found in keytab
L.P.H. van Belle
belle at bazuin.nl
Thu Apr 26 13:48:36 UTC 2018
Hai,
>From your smb.
> realm = AD.INTERNALTWO.COM
> netbios name = nas1dev-rhel7
> server string = nas1dev-rhel7
Is i expect cifs/nas1dev-rhel7.ad.yourPrimaryDomain.tld at AD.INTERNALTWO.COM
Check you hosts file and resolve.conf
Like in what is the output of :
hostname -I and hostname -A
For cifs kerberos tickets, add in krb5.conf the following lines.
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
That might help, then try again, you might need to restart the server first.
And this is wrong.
idmap config * : range = 1000000-1999999
idmap config * : backend = tdb
idmap config INTERNALTWO range = 1000000-1999999
idmap config INTERNALTWO : backend = ads
idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
idmap config NAS1DEV-RHEL7 : backend = tdb
These range may not overlap.
Review your setup smb.conf base on :
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> listmail via samba
> Verzonden: donderdag 26 april 2018 15:11
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] samba4 ticket server cifs/ not found in keytab
>
> example is sanitized as required
>
> the samba host is a member of AD.INTERNALTWO.COM
>
> when accessing from a client member of AD.INTERNALONE it is appending
> @AD.INTERNALONE to the SPN request(??) and I get the error in
> smbd.<client ip>
> 2018/04/25 17:11:58.506095, 1]
> ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
> gss_accept_sec_context failed with [Unspecified GSS
> failure. Minor
> code may provide more information: Request ticket server
> cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket
> kvno 3)]
>
>
> i tried "ignore_acceptor_hostname = true" in krb5.conf, but it has no
> effect
>
>
> workarounds:
> if i access the samba host by IP address or
> nas1dev.AD.INTERNALTWO.COM
> it works
> access from a linux host using the nas1dev.external.com name works
>
>
>
> any suggestions?
>
>
>
>
> smb.conf excerpt:
> [global]
> workgroup = INTERNALTWO
> realm = AD.INTERNALTWO.COM
> netbios name = nas1dev-rhel7
> server string = nas1dev-rhel7
> security = ADS
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> winbind refresh tickets = yes
> log file = /var/log/samba/smbd.%m
> max log size = 500
> min protocol = SMB2
> min protocol = NT1
> lanman auth = No
> load printers = No
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> domain master = No
> winbind enum users = Yes
> #winbind use default domain = Yes
> winbind expand groups = 5
> #winbind normalize names = no
> idmap config * : range = 1000000-1999999
> idmap config * : backend = tdb
> idmap config INTERNALTWO range = 1000000-1999999
> idmap config INTERNALTWO : backend = ads
> idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
> idmap config NAS1DEV-RHEL7 : backend = tdb
> log level = 1 auth:3 smb:3 winbind:5
> ldapsam:trusted = yes
> restrict anonymous = 2
> create mask = 0770
> force create mode = 0770
> #obs #security mask = 0000
> #obs #force security mode = 0770
> directory mask = 2770
> force directory mode = 2770
> #obs #directory security mask = 0000
> #obs #force directory security mode = 2770
> hide special files = Yes
> hide unreadable = Yes
> veto files = /*.eml/*.nws/riched20.dll/*.{*}/
> writeable = yes
> #ldap ssl = start tls
> #ldap ssl ads = yes
> wins server = 192.192.192.99
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list