[Samba] AD member server, some users suddenly can only connect to shares via ip address

Neil Price nprice at gibb.co.za
Thu Apr 25 11:00:37 UTC 2019

I've got some 4.6.5 member servers (debian stretch) that have been 
running flawlessly for many months. Suddenly a few users get a password 
prompt when connecting to shares. But they can connect with the ip 
address. (windows 7 and 10 clients). This happened on all of the member 
servers at the same time.

The chances of getting the password prompt seem to increase if you are 
on a different subnet, especially a remote one (WAN connection). There 
are no firewalls between the subnets.

The key error seems to be this

   gss_accept_sec_context failed with [ Miscellaneous failure (see 
text): Failed to find cifs/pta-cluster.ad.gibb.co.za at AD.GIBB.CO.ZA(kvno 
81) in keytab MEMORY:cifs_srv__keytab (aes256-cts-hmac-sha1-96)]

(pta-cluster.ad.gibb.co.za is the member server)

I'm guessing this is a kerberos keytab error. I am using the default 
kerberos method in smb.conf.

dig and dig -x show the expected results, as do nslookup on the windows 

My DC's are real Windows 2008 and 2012 servers.

More information about the samba mailing list