[Samba] samba4 ticket server cifs/ not found in keytab
Rowland Penny
rpenny at samba.org
Thu Apr 26 13:59:35 UTC 2018
On Thu, 26 Apr 2018 09:10:40 -0400
listmail via samba <samba at lists.samba.org> wrote:
> example is sanitized as required
>
> the samba host is a member of AD.INTERNALTWO.COM
>
> when accessing from a client member of AD.INTERNALONE it is appending
> @AD.INTERNALONE to the SPN request(??) and I get the error in
> smbd.<client ip>
> 2018/04/25 17:11:58.506095, 1]
> ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
> gss_accept_sec_context failed with [Unspecified GSS failure.
> Minor code may provide more information: Request ticket server
> cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket
> kvno 3)]
>
>
> smb.conf excerpt:
> [global]
> idmap config * : range = 1000000-1999999
> idmap config * : backend = tdb
> idmap config INTERNALTWO range = 1000000-1999999
> idmap config INTERNALTWO : backend = ads
> idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
> idmap config NAS1DEV-RHEL7 : backend = tdb
The ranges should not overlap, yours are identical, there is no winbind
'ads' backend, it is 'ad' and requires uidNumber & gidNumber
attributes in AD, you will probably better off using the 'rid' backend
for 'NAS1DEV-RHEL7'
I think you need to read this wiki page:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> ldapsam:trusted = yes
The above is only required on an ldap client, yours isn't an ldap
client.
> wins server = 192.192.192.99
You don't need wins, this is AD.
Finally, the error message is telling you that 'nas1dev.external.com'
needs an SPN and this also needs to be in /etc/krb5.keytab
Rowland
More information about the samba
mailing list