[Samba] Samba 4.10 member: SMB login no longer working
Sven Schwedas
sven.schwedas at tao.at
Wed Jun 26 14:02:19 UTC 2019
On 26.06.19 15:32, L.P.H. van Belle via samba wrote:
> Sven...
>
> What did you do. .. I thought, this was all done/fixed. ;-)
I installed your packages, so naturally everything is your fault. ;)
Setting
> kerberos method = secrets and keytab
as suggested by Rowland did the trick. Guess I was too overzealous in
trying to merge the servers' different smb.conf files together.
>> Failed to find
>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab
>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
> You need to add the cifs/spn also to the AD and the keytab.
> https://wiki.samba.org/index.php/Generating_Keytabs
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland penny via samba
>> Verzonden: woensdag 26 juni 2019 15:16
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working
>>
>> On 26/06/2019 10:36, Sven Schwedas via samba wrote:
>>> Overall domain architecture hasn't changed since my spring
>> cleanup post
>>> earlier (I did sort out the krb5 packages and logging
>> settings, though).
>>>
>>> To start the migration, I figured I'd first update the file servers,
>>> since they're the least critical component. Upgrade 4.5 ???
>> 4.8, 4.8 ???
>>> 4.9, 4.9 ??? 4.10 seemed to work fine each step.
>>>
>>> However, SMB logins either with smbclient or with Windows,
>> Mac clients
>>> no longer work, generating the following error message:
>>>
>>>> [2019/06/26 11:24:13.015993, 3]
>> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
>> s_negprot)
>>>> Selected protocol SMB2_10
>>>> [2019/06/26 11:24:13.021148, 1]
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>>> gss_accept_sec_context failed with [ Miscellaneous
>> failure (see text): Failed to find
>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab
>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>> [2019/06/26 11:24:13.021265, 1]
>> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI
>> nit_step)
>>>> gensec_spnego_server_negTokenInit_step: gse_krb5:
>> parsing NEG_TOKEN_INIT content failed (next[(null)]):
>> NT_STATUS_LOGON_FAILURE
>>>> [2019/06/26 11:24:13.021469, 3]
>> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
>>>> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
>> idx[1] status[NT_STATUS_LOGON_FAILURE] || at
>> ../../source3/smbd/smb2_sesssetup.c:146
>>>> [2019/06/26 11:24:13.022945, 3]
>> ../../source3/smbd/server_exit.c:236(exit_server_common)
>>>> Server exit (NT_STATUS_END_OF_FILE)
>>> wbinfo -t says the domain join is fine, and logins via
>> winbind work fine
>>> too, so I'm not what's causing this error. As far as I can
>> see, all the
>>> login-related smb.conf changes didn't affect us, since we
>> were already
>>> on the backwards compatible defaults.
>>>
>>> smb.conf:
>>>
>>>> [global]
>>>> deadtime = 15
>>>> dns forwarder = 8.8.8.8
>>>> kerberos method = system keytab
>>>> logging = syslog
>>>> realm = AD.TAO.AT
>>>> security = ADS
>>>> server string = Netzlaufwerke Graz
>>>> template homedir = /home/%U
>>>> template shell = /bin/bash
>>>> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
>>>> winbind use default domain = Yes
>>>> workgroup = AD
>>>> idmap config ad : unix_nss_info = yes
>>> This was the only change that seemed necessary for a pure
>> domain member
>>> like this.
>>>
>>>> idmap config ad : schema_mode = rfc2307
>>>> idmap config ad : range = 4500-50000
>>>> idmap config ad : backend = ad
>>>> idmap config * : range = 60000-61000
>>>> idmap_ldb:use rfc2307 = yes
>>>> idmap config * : backend = tdb
>>>> acl group control = Yes
>>>> aio read size = 16384
>>>> aio write size = 16384
>>>> create mask = 0770
>>>> directory mask = 0770
>>>> force create mode = 0660
>>>> force directory mode = 02770
>>>> inherit acls = Yes
>>>> inherit owner = windows and unix
>>>> inherit permissions = Yes
>>>> read only = No
>>>> use sendfile = Yes
>>>>
>>>>
>>>> [homes]
>>>> comment = ~
>>>> volume = nethome
>>>>
>>>>
>>>> [print$]
>>>> comment = Druckertreiber Windows
>>>> path = /srv/smb/Drucker/
>>>>
>>>>
>>>> [printers]
>>>> browseable = No
>>>> comment = Drucker
>>>> path = /var/spool/samba
>>>> printable = Yes
>>>>
>>>>
>>>> [public-graz]
>>>> comment = S:
>>>> path = /srv/smb
>>>> vfs objects = recycle
>>>> volume = Graz
>>>> recycle:versions = yes
>>>> recycle:keeptree = yes
>>
>> I would remove these lines:
>>
>> dns forwarder = 8.8.8.8
>>
>> idmap_ldb:use rfc2307 = yes
>>
>> They only make sense on a DC
>>
>> I would also replace 'kerberos method = system keytab' with 'kerberos
>> method = secrets and keytab'
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz | https://www.tao-digital.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/9f227e24/signature.sig>
More information about the samba
mailing list