[Samba] Samba 4.10 member: SMB login no longer working

L.P.H. van Belle belle at bazuin.nl
Wed Jun 26 13:32:49 UTC 2019


Sven... 

What did you do.  .. I thought, this was all done/fixed.  ;-) 

> Failed to find 
> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab 
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]

You need to add the cifs/spn also to the AD and the keytab. 
https://wiki.samba.org/index.php/Generating_Keytabs 


Greetz, 

Louis






> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: woensdag 26 juni 2019 15:16
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working
> 
> On 26/06/2019 10:36, Sven Schwedas via samba wrote:
> > Overall domain architecture hasn't changed since my spring 
> cleanup post
> > earlier (I did sort out the krb5 packages and logging 
> settings, though).
> >
> > To start the migration, I figured I'd first update the file servers,
> > since they're the least critical component. Upgrade 4.5 ??? 
> 4.8, 4.8 ???
> > 4.9, 4.9 ??? 4.10 seemed to work fine each step.
> >
> > However, SMB logins either with smbclient or with Windows, 
> Mac clients
> > no longer work, generating the following error message:
> >
> >> [2019/06/26 11:24:13.015993,  3] 
> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
> s_negprot)
> >>    Selected protocol SMB2_10
> >> [2019/06/26 11:24:13.021148,  1] 
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> >>    gss_accept_sec_context failed with [ Miscellaneous 
> failure (see text): Failed to find 
> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab 
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >> [2019/06/26 11:24:13.021265,  1] 
> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI
> nit_step)
> >>    gensec_spnego_server_negTokenInit_step: gse_krb5: 
> parsing NEG_TOKEN_INIT content failed (next[(null)]): 
> NT_STATUS_LOGON_FAILURE
> >> [2019/06/26 11:24:13.021469,  3] 
> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
> >>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: 
> idx[1] status[NT_STATUS_LOGON_FAILURE] || at 
> ../../source3/smbd/smb2_sesssetup.c:146
> >> [2019/06/26 11:24:13.022945,  3] 
> ../../source3/smbd/server_exit.c:236(exit_server_common)
> >>    Server exit (NT_STATUS_END_OF_FILE)
> > wbinfo -t says the domain join is fine, and logins via 
> winbind work fine
> > too, so I'm not what's causing this error. As far as I can 
> see, all the
> > login-related smb.conf changes didn't affect us, since we 
> were already
> > on the backwards compatible defaults.
> >
> > smb.conf:
> >
> >> [global]
> >> 	deadtime = 15
> >> 	dns forwarder = 8.8.8.8
> >> 	kerberos method = system keytab
> >> 	logging = syslog
> >> 	realm = AD.TAO.AT
> >> 	security = ADS
> >> 	server string = Netzlaufwerke Graz
> >> 	template homedir = /home/%U
> >> 	template shell = /bin/bash
> >> 	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
> >> 	winbind use default domain = Yes
> >> 	workgroup = AD
> >> 	idmap config ad : unix_nss_info = yes
> > This was the only change that seemed necessary for a pure 
> domain member
> > like this.
> >
> >> 	idmap config ad : schema_mode = rfc2307
> >> 	idmap config ad : range = 4500-50000
> >> 	idmap config ad : backend = ad
> >> 	idmap config * : range = 60000-61000
> >> 	idmap_ldb:use rfc2307 = yes
> >> 	idmap config * : backend = tdb
> >> 	acl group control = Yes
> >> 	aio read size = 16384
> >> 	aio write size = 16384
> >> 	create mask = 0770
> >> 	directory mask = 0770
> >> 	force create mode = 0660
> >> 	force directory mode = 02770
> >> 	inherit acls = Yes
> >> 	inherit owner = windows and unix
> >> 	inherit permissions = Yes
> >> 	read only = No
> >> 	use sendfile = Yes
> >>
> >>
> >> [homes]
> >> 	comment = ~
> >> 	volume = nethome
> >>
> >>
> >> [print$]
> >> 	comment = Druckertreiber Windows
> >> 	path = /srv/smb/Drucker/
> >>
> >>
> >> [printers]
> >> 	browseable = No
> >> 	comment = Drucker
> >> 	path = /var/spool/samba
> >> 	printable = Yes
> >>
> >>
> >> [public-graz]
> >> 	comment = S:
> >> 	path = /srv/smb
> >> 	vfs objects = recycle
> >> 	volume = Graz
> >> 	recycle:versions = yes
> >> 	recycle:keeptree = yes
> 
> I would remove these lines:
> 
> dns forwarder = 8.8.8.8
> 
> idmap_ldb:use rfc2307 = yes
> 
> They only make sense on a DC
> 
> I would also replace 'kerberos method = system keytab' with 'kerberos 
> method = secrets and keytab'
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list