[Samba] Samba 4.10 member: SMB login no longer working

Sven Schwedas sven.schwedas at tao.at
Wed Jun 26 09:36:02 UTC 2019 

Overall domain architecture hasn't changed since my spring cleanup post
earlier (I did sort out the krb5 packages and logging settings, though).

To start the migration, I figured I'd first update the file servers,
since they're the least critical component. Upgrade 4.5 → 4.8, 4.8 →
4.9, 4.9 → 4.10 seemed to work fine each step.

However, SMB logins either with smbclient or with Windows, Mac clients
no longer work, generating the following error message:

> [2019/06/26 11:24:13.015993,  3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_10
> [2019/06/26 11:24:13.021148,  1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>   gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> [2019/06/26 11:24:13.021265,  1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
>   gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> [2019/06/26 11:24:13.021469,  3] ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
> [2019/06/26 11:24:13.022945,  3] ../../source3/smbd/server_exit.c:236(exit_server_common)
>   Server exit (NT_STATUS_END_OF_FILE)

wbinfo -t says the domain join is fine, and logins via winbind work fine
too, so I'm not what's causing this error. As far as I can see, all the
login-related smb.conf changes didn't affect us, since we were already
on the backwards compatible defaults.

smb.conf:

> [global]
> 	deadtime = 15
> 	dns forwarder = 8.8.8.8
> 	kerberos method = system keytab
> 	logging = syslog
> 	realm = AD.TAO.AT
> 	security = ADS
> 	server string = Netzlaufwerke Graz
> 	template homedir = /home/%U
> 	template shell = /bin/bash
> 	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
> 	winbind use default domain = Yes
> 	workgroup = AD

> 	idmap config ad : unix_nss_info = yes

This was the only change that seemed necessary for a pure domain member
like this.

> 	idmap config ad : schema_mode = rfc2307
> 	idmap config ad : range = 4500-50000
> 	idmap config ad : backend = ad
> 	idmap config * : range = 60000-61000
> 	idmap_ldb:use rfc2307 = yes
> 	idmap config * : backend = tdb
> 	acl group control = Yes
> 	aio read size = 16384
> 	aio write size = 16384
> 	create mask = 0770
> 	directory mask = 0770
> 	force create mode = 0660
> 	force directory mode = 02770
> 	inherit acls = Yes
> 	inherit owner = windows and unix
> 	inherit permissions = Yes
> 	read only = No
> 	use sendfile = Yes
> 
> 
> [homes]
> 	comment = ~
> 	volume = nethome
> 
> 
> [print$]
> 	comment = Druckertreiber Windows
> 	path = /srv/smb/Drucker/
> 
> 
> [printers]
> 	browseable = No
> 	comment = Drucker
> 	path = /var/spool/samba
> 	printable = Yes
> 
> 
> [public-graz]
> 	comment = S:
> 	path = /srv/smb
> 	vfs objects = recycle
> 	volume = Graz
> 	recycle:versions = yes
> 	recycle:keeptree = yes



-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/d13ef8c5/signature.sig>

More information about the samba mailing list