[Samba] samba4 ticket server cifs/ not found in keytab

L.P.H. van Belle belle at bazuin.nl
Thu Apr 26 13:48:36 UTC 2018


Hai, 

>From your smb. 
>          realm = AD.INTERNALTWO.COM
>          netbios name = nas1dev-rhel7
>          server string = nas1dev-rhel7

Is i expect cifs/nas1dev-rhel7.ad.yourPrimaryDomain.tld at AD.INTERNALTWO.COM
Check you hosts file and resolve.conf 

Like in what is the output of : 
hostname -I and hostname -A


For cifs kerberos tickets, add in krb5.conf the following lines. 

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

That might help, then try again, you might need to restart the server first. 

And this is wrong.
         idmap config * : range = 1000000-1999999
         idmap config * : backend = tdb
         idmap config INTERNALTWO range = 1000000-1999999
         idmap config INTERNALTWO : backend = ads
         idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
         idmap config NAS1DEV-RHEL7 : backend = tdb

These range may not overlap. 
Review your setup smb.conf base on : 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 


Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> listmail via samba
> Verzonden: donderdag 26 april 2018 15:11
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] samba4 ticket server cifs/ not found in keytab
> 
> example is sanitized as required
> 
> the samba host is a member of AD.INTERNALTWO.COM
> 
> when accessing from a client member of AD.INTERNALONE it is appending 
> @AD.INTERNALONE to the SPN request(??) and I get the error in 
> smbd.<client ip>
> 2018/04/25 17:11:58.506095,  1] 
> ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [Unspecified GSS 
> failure.  Minor 
> code may provide more information: Request ticket server 
> cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket 
> kvno 3)]
> 
> 
> i tried "ignore_acceptor_hostname = true" in krb5.conf, but it has no 
> effect
> 
> 
> workarounds:
> if i access the samba host by IP address or 
> nas1dev.AD.INTERNALTWO.COM 
> it works
> access from a linux host using the nas1dev.external.com name works
> 
> 
> 
> any suggestions?
> 
> 
> 
> 
> smb.conf excerpt:
> [global]
>          workgroup = INTERNALTWO
>          realm = AD.INTERNALTWO.COM
>          netbios name = nas1dev-rhel7
>          server string = nas1dev-rhel7
>          security = ADS
>          kerberos method = secrets and keytab
>          dedicated keytab file = /etc/krb5.keytab
>          winbind refresh tickets = yes
>          log file = /var/log/samba/smbd.%m
>          max log size = 500
>          min protocol = SMB2
>          min protocol = NT1
>          lanman auth = No
>          load printers = No
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>          domain master = No
>          winbind enum users = Yes
>          #winbind use default domain = Yes
>          winbind expand groups = 5
>          #winbind normalize names = no
>          idmap config * : range = 1000000-1999999
>          idmap config * : backend = tdb
>          idmap config INTERNALTWO range = 1000000-1999999
>          idmap config INTERNALTWO : backend = ads
>          idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
>          idmap config NAS1DEV-RHEL7 : backend = tdb
>          log level = 1 auth:3 smb:3 winbind:5
>          ldapsam:trusted = yes
>          restrict anonymous = 2
>          create mask = 0770
>          force create mode = 0770
>          #obs #security mask = 0000
>          #obs #force security mode = 0770
>          directory mask = 2770
>          force directory mode = 2770
>          #obs #directory security mask = 0000
>          #obs #force directory security mode = 2770
>          hide special files = Yes
>          hide unreadable = Yes
>          veto files = /*.eml/*.nws/riched20.dll/*.{*}/
>          writeable = yes
>          #ldap ssl = start tls
>          #ldap ssl ads = yes
>          wins server = 192.192.192.99
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list