[Samba] DM 3.6.25 -> 4.x

Stefan G. Weichinger lists at xunil.at
Sat Jun 30 21:19:29 UTC 2018 

Am 30.06.2018 um 21:37 schrieb Rowland Penny via samba:
> On Sat, 30 Jun 2018 21:02:57 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
>>
>> additional:
>>
>> the krb5.conf from the former admin, I assume it could or should be
>> boiled down:
>> # cat /etc/krb5.conf
> 
> The standard one for Samba is just this:
> 
> [libdefaults]
>      default_realm = CUSTOMER.INTRA
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
> 
> There doesn't seem to be anything wrong with your smb.conf.
> 
> Not sure if this is the 3.6.x machine or the 4.x.x,

It's a 4.7.7

> but which ever, I
> would leave the domain, stop Samba, remove all the .ldb & .tdb (they
> are probably in /var/lib/samba), delete /etc/krb5.keytab and then
> rejoin the domain and restart Samba. This should create a
> new /etc/krb5.keytab, check this contains the 'cifs' principals. 

Did so until here.

> If
> it does, okay, if it doesn't, export a keytab on the DC with
> samba-tool with  cifs/U1mycustomer.mycustomer.intra as the principal
> and copy this to the Unix domain member. Then use 'ktutil' to
> join /etc/krb5.keytab to the new keytab.

The DC is a windows machine, so no samba-tool there ...
Can I "pull" these infos somehow?

btw after above changes:

[2018/06/30 23:17:31.605837,  1] 
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
   gss_accept_sec_context failed with [Unspecified GSS failure.  Minor 
code may provide more information: Request ticket server 
cifs/U1customer.customer.intra at customer.INTRA not found in keytab 
(ticket kvno 277)]

(same as before)

# net ads keytab list
Vno  Type                                        Principal
   2  DES cbc mode with CRC-32 
host/u1customer.customer.intra at customer.INTRA
   2  DES cbc mode with CRC-32                    host/SAMBA at customer.INTRA
   2  DES cbc mode with RSA-MD5 
host/u1customer.customer.intra at customer.INTRA
   2  DES cbc mode with RSA-MD5                   host/SAMBA at customer.INTRA
   2  AES-128 CTS mode with 96-bit SHA-1 HMAC 
host/u1customer.customer.intra at customer.INTRA
   2  AES-128 CTS mode with 96-bit SHA-1 HMAC     host/SAMBA at customer.INTRA
   2  AES-256 CTS mode with 96-bit SHA-1 HMAC 
host/u1customer.customer.intra at customer.INTRA
   2  AES-256 CTS mode with 96-bit SHA-1 HMAC     host/SAMBA at customer.INTRA
   2  ArcFour with HMAC/md5 
host/u1customer.customer.intra at customer.INTRA
   2  ArcFour with HMAC/md5                       host/SAMBA at customer.INTRA


   2  DES cbc mode with CRC-32                    SAMBA$@customer.INTRA
   2  DES cbc mode with RSA-MD5                   SAMBA$@customer.INTRA
   2  AES-128 CTS mode with 96-bit SHA-1 HMAC     SAMBA$@customer.INTRA
   2  AES-256 CTS mode with 96-bit SHA-1 HMAC     SAMBA$@customer.INTRA
   2  ArcFour with HMAC/md5                       SAMBA$@customer.INTRA


hmm. no "cifs"

wouldn't "net ads keymap add" help as well?


> If needed, I can talk you through this ;-)

thank you ;-)

More information about the samba mailing list