[Samba] Samba 4.10 member: SMB login no longer working

Rowland penny rpenny at samba.org
Wed Jun 26 13:16:21 UTC 2019 

On 26/06/2019 10:36, Sven Schwedas via samba wrote:
> Overall domain architecture hasn't changed since my spring cleanup post
> earlier (I did sort out the krb5 packages and logging settings, though).
>
> To start the migration, I figured I'd first update the file servers,
> since they're the least critical component. Upgrade 4.5 → 4.8, 4.8 →
> 4.9, 4.9 → 4.10 seemed to work fine each step.
>
> However, SMB logins either with smbclient or with Windows, Mac clients
> no longer work, generating the following error message:
>
>> [2019/06/26 11:24:13.015993,  3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
>>    Selected protocol SMB2_10
>> [2019/06/26 11:24:13.021148,  1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>    gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> [2019/06/26 11:24:13.021265,  1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
>>    gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>> [2019/06/26 11:24:13.021469,  3] ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
>>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
>> [2019/06/26 11:24:13.022945,  3] ../../source3/smbd/server_exit.c:236(exit_server_common)
>>    Server exit (NT_STATUS_END_OF_FILE)
> wbinfo -t says the domain join is fine, and logins via winbind work fine
> too, so I'm not what's causing this error. As far as I can see, all the
> login-related smb.conf changes didn't affect us, since we were already
> on the backwards compatible defaults.
>
> smb.conf:
>
>> [global]
>> 	deadtime = 15
>> 	dns forwarder = 8.8.8.8
>> 	kerberos method = system keytab
>> 	logging = syslog
>> 	realm = AD.TAO.AT
>> 	security = ADS
>> 	server string = Netzlaufwerke Graz
>> 	template homedir = /home/%U
>> 	template shell = /bin/bash
>> 	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
>> 	winbind use default domain = Yes
>> 	workgroup = AD
>> 	idmap config ad : unix_nss_info = yes
> This was the only change that seemed necessary for a pure domain member
> like this.
>
>> 	idmap config ad : schema_mode = rfc2307
>> 	idmap config ad : range = 4500-50000
>> 	idmap config ad : backend = ad
>> 	idmap config * : range = 60000-61000
>> 	idmap_ldb:use rfc2307 = yes
>> 	idmap config * : backend = tdb
>> 	acl group control = Yes
>> 	aio read size = 16384
>> 	aio write size = 16384
>> 	create mask = 0770
>> 	directory mask = 0770
>> 	force create mode = 0660
>> 	force directory mode = 02770
>> 	inherit acls = Yes
>> 	inherit owner = windows and unix
>> 	inherit permissions = Yes
>> 	read only = No
>> 	use sendfile = Yes
>>
>>
>> [homes]
>> 	comment = ~
>> 	volume = nethome
>>
>>
>> [print$]
>> 	comment = Druckertreiber Windows
>> 	path = /srv/smb/Drucker/
>>
>>
>> [printers]
>> 	browseable = No
>> 	comment = Drucker
>> 	path = /var/spool/samba
>> 	printable = Yes
>>
>>
>> [public-graz]
>> 	comment = S:
>> 	path = /srv/smb
>> 	vfs objects = recycle
>> 	volume = Graz
>> 	recycle:versions = yes
>> 	recycle:keeptree = yes

I would remove these lines:

dns forwarder = 8.8.8.8

idmap_ldb:use rfc2307 = yes

They only make sense on a DC

I would also replace 'kerberos method = system keytab' with 'kerberos 
method = secrets and keytab'

Rowland

More information about the samba mailing list