[Samba] samba4 ticket server cifs/ not found in keytab

Rowland Penny rpenny at samba.org
Thu Apr 26 13:59:35 UTC 2018


On Thu, 26 Apr 2018 09:10:40 -0400
listmail via samba <samba at lists.samba.org> wrote:

> example is sanitized as required
> 
> the samba host is a member of AD.INTERNALTWO.COM
> 
> when accessing from a client member of AD.INTERNALONE it is appending 
> @AD.INTERNALONE to the SPN request(??) and I get the error in 
> smbd.<client ip>
> 2018/04/25 17:11:58.506095,  1] 
> ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [Unspecified GSS failure.
> Minor code may provide more information: Request ticket server 
> cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket 
> kvno 3)]
> 
> 
> smb.conf excerpt:
> [global]
>          idmap config * : range = 1000000-1999999
>          idmap config * : backend = tdb
>          idmap config INTERNALTWO range = 1000000-1999999
>          idmap config INTERNALTWO : backend = ads
>          idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
>          idmap config NAS1DEV-RHEL7 : backend = tdb

The ranges should not overlap, yours are identical, there is no winbind
'ads' backend, it is 'ad' and requires uidNumber & gidNumber
attributes in AD, you will probably better off using the 'rid' backend
for 'NAS1DEV-RHEL7'

I think you need to read this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 

>          ldapsam:trusted = yes

The above is only required on an ldap client, yours isn't an ldap
client.
 
>          wins server = 192.192.192.99

You don't need wins, this is AD.
 
Finally, the error message is telling you that 'nas1dev.external.com'
needs an SPN and this also needs to be in /etc/krb5.keytab

Rowland



More information about the samba mailing list