[Samba] gss_accept_sec_context failed with [ Miscellaneous failure (see text): Decrypt integrity check failed]
Noël Köthe
noel.koethe at credativ.de
Tue Aug 7 11:11:32 UTC 2018
Hello,
my fileserver (Debian and samba packages 4.2.14+dfsg-0+deb8u9)
connected to an AD with one Windows DC and one Samba DC get every 10
seconds the following error:
[2018/08/07 12:52:15.351515, 1] ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Decrypt integrity check failed]
[2018/08/07 12:52:15.351565, 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2018/08/07 12:52:15.351609, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Maybe somebody could give me a hint what is broken here and how to fix it.
I tried to fix it with a rejoin to the AD but didn't helped.
The configuration:
/etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
/etc/samba/smb.conf
[global]
netbios name = SERVER
workgroup = MYDOMAIN
security = ADS
realm = MYDOMAIN.DE
log level = 2 smb:4 winbind:4
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 500-40000
idmap_ldb use:rfc2307 = Yes
winbind nss info = rfc2307
winbind use default domain = yes
winbind max clients = 300
winbind refresh tickets = Yes
template homedir = /srv/samba/users/%U
template shell = /bin/bash
# username map = /etc/samba/smbusermap
wins server = 10.1.1.72
dns proxy = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server min protocol = SMB2
[homes]
comment = Home Directories
browseable = yes
...
only more shares follow
Thank you!
--
Have a nice day
Noël Köthe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20180807/5225b901/signature.sig>
More information about the samba
mailing list