[Samba] Failed to find [principal](kvno 4) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]

Jonathon Reinhart jonathon.reinhart at gmail.com
Fri Dec 27 17:31:18 UTC 2019

> I updated to FreeNAS 11.1u7 which shows samba at "Version
> 4.7.0-GIT-ea139bffada-FreeNAS".
> The issue persists just as it did on the old version.
> Can anyone answer my questions about the in-memory keytab? How can two
> clients both use the same service principal name (and kvno) but one can't
> be found in the keytab?

I'm starting to suspect this has something to do with kerberos
encryption types.

Most of the errors in the log reference arcfour-hmac-md5, but I see others
(with higher kvno) that reference aes256-cts-hmac-sha1-96.

Some additional information that may be relevant:
- The client failures weren't immediate; clients would slowly drop one by
- This domain and forest functional level were previously on Server 2008
R2, and recently upgraded to Server 2016 after the DCs were upgraded to
Windows Server 2016

Just now my Windows 10 machine failed to connect. "klist" showed a ticket
for "cifs/nas01 @ EXAMPLE.com" that used KerbTicket Encryption Type: RSADSI
RC4-HMAC(NT).  I issued "klist purge" and successfully reconnected. The
ticket is now of type AES-256-CTS-HMAC-SMA1-96.

I'm starting to consider the nuclear option:
- Disable directory services on FreeNAS
- Nuke some Samba state (what files? secrets.tdb?)
- Delete the computer account
- Re-join

More information about the samba mailing list