[Samba] Samba 4.10 member: SMB login no longer working
Sven Schwedas
sven.schwedas at tao.at
Wed Jun 26 09:36:02 UTC 2019
Overall domain architecture hasn't changed since my spring cleanup post
earlier (I did sort out the krb5 packages and logging settings, though).
To start the migration, I figured I'd first update the file servers,
since they're the least critical component. Upgrade 4.5 → 4.8, 4.8 →
4.9, 4.9 → 4.10 seemed to work fine each step.
However, SMB logins either with smbclient or with Windows, Mac clients
no longer work, generating the following error message:
> [2019/06/26 11:24:13.015993, 3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
> [2019/06/26 11:24:13.021148, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> [2019/06/26 11:24:13.021265, 1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> [2019/06/26 11:24:13.021469, 3] ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
> [2019/06/26 11:24:13.022945, 3] ../../source3/smbd/server_exit.c:236(exit_server_common)
> Server exit (NT_STATUS_END_OF_FILE)
wbinfo -t says the domain join is fine, and logins via winbind work fine
too, so I'm not what's causing this error. As far as I can see, all the
login-related smb.conf changes didn't affect us, since we were already
on the backwards compatible defaults.
smb.conf:
> [global]
> deadtime = 15
> dns forwarder = 8.8.8.8
> kerberos method = system keytab
> logging = syslog
> realm = AD.TAO.AT
> security = ADS
> server string = Netzlaufwerke Graz
> template homedir = /home/%U
> template shell = /bin/bash
> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
> winbind use default domain = Yes
> workgroup = AD
> idmap config ad : unix_nss_info = yes
This was the only change that seemed necessary for a pure domain member
like this.
> idmap config ad : schema_mode = rfc2307
> idmap config ad : range = 4500-50000
> idmap config ad : backend = ad
> idmap config * : range = 60000-61000
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> acl group control = Yes
> aio read size = 16384
> aio write size = 16384
> create mask = 0770
> directory mask = 0770
> force create mode = 0660
> force directory mode = 02770
> inherit acls = Yes
> inherit owner = windows and unix
> inherit permissions = Yes
> read only = No
> use sendfile = Yes
>
>
> [homes]
> comment = ~
> volume = nethome
>
>
> [print$]
> comment = Druckertreiber Windows
> path = /srv/smb/Drucker/
>
>
> [printers]
> browseable = No
> comment = Drucker
> path = /var/spool/samba
> printable = Yes
>
>
> [public-graz]
> comment = S:
> path = /srv/smb
> vfs objects = recycle
> volume = Graz
> recycle:versions = yes
> recycle:keeptree = yes
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz | https://www.tao-digital.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/d13ef8c5/signature.sig>
More information about the samba
mailing list