[Samba] smb_krb5_open_keytab failed (Key table name malformed)
shacky
shacky83 at gmail.com
Fri May 11 15:40:18 UTC 2018
Hi.
I joined a fileserver system with Samba version 4.5.12-Debian (fileserv) in
an Active Directory domain managed by a Samba 4.6.7-Ubuntu installed on
another system using "realm discover" and sssd.
The Samba fileserver is correctly joined into the domain and I can
correctly browse AD users:
root at fileserv:/# getent passwd my.user
my.user:*:1616401116:1616400513:Me:/home/domain.com/users/my.user:/bin/bash
The keytab file is correctly created:
root at fileserv:/# ls -l /etc/krb5.*
-rw-r--r-- 1 root root 2794 May 11 17:32 /etc/krb5.conf
-rw------- 1 root root 2208 May 11 16:18 /etc/krb5.keytab
The problem is that I cannot browse my Samba server from a Windows 10
client joined in the same Active Directory domain with a valid user.
When I try to access to \\fileserv from the Windows client I get these
errors on the Samba server:
========== 8< ==========
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.181182, 1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:30 fileserv smbd[3634]:
../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.183815, 1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:30 fileserv smbd[3634]:
../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.184747, 1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:30 fileserv smbd[3634]: Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.189970, 1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:30 fileserv smbd[3634]:
../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.190017, 1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:30 fileserv smbd[3634]:
../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.190045, 1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:30 fileserv smbd[3634]: Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193404, 1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:30 fileserv smbd[3634]:
../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193442, 1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:30 fileserv smbd[3634]:
../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193528, 1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:30 fileserv smbd[3634]: Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196100, 1]
../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
May 11 17:10:30 fileserv smbd[3634]: WARNING: The "syslog" option is
deprecated
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196142, 1]
../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
May 11 17:10:30 fileserv smbd[3634]: WARNING: The "syslog only" option is
deprecated
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196463, 2]
../source3/param/loadparm.c:2685(lp_do_section)
May 11 17:10:30 fileserv smbd[3634]: Processing section "[users]"
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196656, 2]
../source3/param/loadparm.c:2685(lp_do_section)
May 11 17:10:30 fileserv smbd[3634]: Processing section "[homes]"
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.939713, 1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:30 fileserv smbd[3634]: Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.941271, 0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:30 fileserv smbd[3634]: connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.286683, 1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:31 fileserv smbd[3634]: Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.288762, 0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:31 fileserv smbd[3634]: connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.591901, 1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:31 fileserv smbd[3634]: Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.593663, 0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:31 fileserv smbd[3634]: connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595626, 0]
../source3/auth/auth_domain.c:184(domain_client_validate)
May 11 17:10:31 fileserv smbd[3634]: domain_client_validate: Domain
password server not available.
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595666, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
May 11 17:10:31 fileserv smbd[3634]: check_ntlm_password: Authentication
for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595697, 2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
May 11 17:10:31 fileserv smbd[3634]: SPNEGO login failed:
NT_STATUS_NO_LOGON_SERVERS
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.610553, 1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:31 fileserv smbd[3635]:
../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.611895, 1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:31 fileserv smbd[3635]:
../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.613109, 1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:31 fileserv smbd[3635]: Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615785, 1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:31 fileserv smbd[3635]:
../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615827, 1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:31 fileserv smbd[3635]:
../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615855, 1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:31 fileserv smbd[3635]: Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.619932, 1]
../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
May 11 17:10:31 fileserv smbd[3635]: WARNING: The "syslog" option is
deprecated
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.619981, 1]
../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
May 11 17:10:31 fileserv smbd[3635]: WARNING: The "syslog only" option is
deprecated
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.620318, 2]
../source3/param/loadparm.c:2685(lp_do_section)
May 11 17:10:31 fileserv smbd[3635]: Processing section "[users]"
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.620537, 2]
../source3/param/loadparm.c:2685(lp_do_section)
May 11 17:10:31 fileserv smbd[3635]: Processing section "[homes]"
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.312237, 1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:32 fileserv smbd[3635]: Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.313774, 0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:32 fileserv smbd[3635]: connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.661837, 1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:32 fileserv smbd[3635]: Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.663374, 0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:32 fileserv smbd[3635]: connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.972733, 1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:32 fileserv smbd[3635]: Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.974661, 0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:32 fileserv smbd[3635]: connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.976779, 0]
../source3/auth/auth_domain.c:184(domain_client_validate)
May 11 17:10:32 fileserv smbd[3635]: domain_client_validate: Domain
password server not available.
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.977536, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
May 11 17:10:32 fileserv smbd[3635]: check_ntlm_password: Authentication
for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.977575, 2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
May 11 17:10:32 fileserv smbd[3635]: SPNEGO login failed:
NT_STATUS_NO_LOGON_SERVERS
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.028424, 2]
../source3/smbd/reply.c:705(reply_special)
May 11 17:10:34 fileserv smbd[3637]: netbios connect: name1=FILESERV
0x20 name2=WIN10-TEST 0x0
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.030869, 2]
../source3/smbd/reply.c:746(reply_special)
May 11 17:10:34 fileserv smbd[3637]: netbios connect: local=fileserv
remote=win10-test, name type = 0
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.036486, 1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:34 fileserv smbd[3637]:
../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.037810, 1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:34 fileserv smbd[3637]:
../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.039122, 1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:34 fileserv smbd[3637]: Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041181, 1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:34 fileserv smbd[3637]:
../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041236, 1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:34 fileserv smbd[3637]:
../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041264, 1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:34 fileserv smbd[3637]: Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
========== 8< ==========
This is my Samba server configuration:
========== 8< ==========
#======================= Global Settings =======================
[global]
workgroup = DOMAIN
server string = File Server
dns proxy = no
log level = 3
syslog = 3
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
local master = yes
time server = no
wins support = no
password server = server-z1.domain.com
realm = DOMAIN.COM
dedicated keytab file = FILE:/etc/krb5.keytab
kerberos method = dedicated keytab
security = ads
allow trusted domains = yes
template shell = /bin/bash
template homedir = /home/domain.com/users/%U
# Performance improvements
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
========== 8< ==========
Could you help me please?
Thank you very much!
Bye
More information about the samba
mailing list