[Samba] Failed to find [principal](kvno 4) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]

Jonathon Reinhart jonathon.reinhart at gmail.com
Fri Dec 27 19:05:08 UTC 2019

On Fri, Dec 27, 2019 at 1:12 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 27/12/2019 17:06, Jonathon Reinhart wrote:
> > I updated to FreeNAS 11.1u7 which shows samba at "Version
> > 4.7.0-GIT-ea139bffada-FreeNAS".
> >
> > The issue persists just as it did on the old version.
> >
> > Can anyone answer my questions about the in-memory keytab? How can two
> > clients both use the same service principal name (and kvno) but one
> > can't be found in the keytab?
> >
> > Thanks,
> > Jonathon
> Not sure what is going on here, that Samba version appears to be a
> Freenas version (and is still EOL), but the release notes here:
> https://www.ixsystems.com/blog/library/freenas-11-2-u7/ clearly states
> that the Samba version is now 4.9.15 (which is still supported by Samba)

I was coming from FreeNAS 9.10, so I first updated to FreeNAS 11.1 which
has Samba 4.7 (not 11.2 which has Samba 4.9). I will continue the upgrade
path to 11.2, but wanted to stop here at 11.1 and take a look...

> here are a few ways to mount a share with kerberos, how are you doing it ?

Entering \\nas01.example.com into Windows Explorer from a domain-joined
client machine.

> Whichever way, it usually relies on the server having an SPN in the
> format cifs/fqdn at REALM

But aside from joining the fileserver, an admin doesn't have to do anything
as long as there are no CNAME aliases being used, right? (IOW clients are
accessing via the "joined" name.)

> If one client works and another doesn't, I would be checking to see if
> there are any differences between the clients.

I've been trying unsuccessfully to do that. What's weird is that it also
seemed to sometimes pop-up after users changed their password. But I'll
reiterate that the problem is not tied to any user; a user who can't access
the share from "their" box can logon to a different machine and
successfully access the share.

This is why I've been playing with "klist prune"...

> If after all this, it still doesn't work and you are using a supported
> Samba version, then I would open a bug report, giving as much data as
> possible (log level 10 output, network traces etc)

I will update to FreeNAS 11.2 (and Samba 4.9) but I can't imagine providing
any more information than I already have. I have to manually transcribe log
entries from this network. And I've provided the highest log level relevant
log entry and a description of what I'm seeing in Wireshark.  Unfortunately
there are no debug entries in the success paths where the in-memory keytab
is being reconstructed.

More information about the samba mailing list