[Samba] Samba 4.10 member: SMB login no longer working

Sven Schwedas sven.schwedas at tao.at
Wed Jun 26 14:02:19 UTC 2019 

On 26.06.19 15:32, L.P.H. van Belle via samba wrote:
> Sven... 
> 
> What did you do.  .. I thought, this was all done/fixed.  ;-) 

I installed your packages, so naturally everything is your fault. ;)

Setting

> kerberos method = secrets and keytab

as suggested by Rowland did the trick. Guess I was too overzealous in
trying to merge the servers' different smb.conf files together.

>> Failed to find 
>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab 
>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> 
> You need to add the cifs/spn also to the AD and the keytab. 
> https://wiki.samba.org/index.php/Generating_Keytabs 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>> Rowland penny via samba
>> Verzonden: woensdag 26 juni 2019 15:16
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working
>>
>> On 26/06/2019 10:36, Sven Schwedas via samba wrote:
>>> Overall domain architecture hasn't changed since my spring 
>> cleanup post
>>> earlier (I did sort out the krb5 packages and logging 
>> settings, though).
>>>
>>> To start the migration, I figured I'd first update the file servers,
>>> since they're the least critical component. Upgrade 4.5 ??? 
>> 4.8, 4.8 ???
>>> 4.9, 4.9 ??? 4.10 seemed to work fine each step.
>>>
>>> However, SMB logins either with smbclient or with Windows, 
>> Mac clients
>>> no longer work, generating the following error message:
>>>
>>>> [2019/06/26 11:24:13.015993,  3] 
>> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
>> s_negprot)
>>>>    Selected protocol SMB2_10
>>>> [2019/06/26 11:24:13.021148,  1] 
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>>>    gss_accept_sec_context failed with [ Miscellaneous 
>> failure (see text): Failed to find 
>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab 
>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>> [2019/06/26 11:24:13.021265,  1] 
>> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI
>> nit_step)
>>>>    gensec_spnego_server_negTokenInit_step: gse_krb5: 
>> parsing NEG_TOKEN_INIT content failed (next[(null)]): 
>> NT_STATUS_LOGON_FAILURE
>>>> [2019/06/26 11:24:13.021469,  3] 
>> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
>>>>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: 
>> idx[1] status[NT_STATUS_LOGON_FAILURE] || at 
>> ../../source3/smbd/smb2_sesssetup.c:146
>>>> [2019/06/26 11:24:13.022945,  3] 
>> ../../source3/smbd/server_exit.c:236(exit_server_common)
>>>>    Server exit (NT_STATUS_END_OF_FILE)
>>> wbinfo -t says the domain join is fine, and logins via 
>> winbind work fine
>>> too, so I'm not what's causing this error. As far as I can 
>> see, all the
>>> login-related smb.conf changes didn't affect us, since we 
>> were already
>>> on the backwards compatible defaults.
>>>
>>> smb.conf:
>>>
>>>> [global]
>>>> 	deadtime = 15
>>>> 	dns forwarder = 8.8.8.8
>>>> 	kerberos method = system keytab
>>>> 	logging = syslog
>>>> 	realm = AD.TAO.AT
>>>> 	security = ADS
>>>> 	server string = Netzlaufwerke Graz
>>>> 	template homedir = /home/%U
>>>> 	template shell = /bin/bash
>>>> 	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
>>>> 	winbind use default domain = Yes
>>>> 	workgroup = AD
>>>> 	idmap config ad : unix_nss_info = yes
>>> This was the only change that seemed necessary for a pure 
>> domain member
>>> like this.
>>>
>>>> 	idmap config ad : schema_mode = rfc2307
>>>> 	idmap config ad : range = 4500-50000
>>>> 	idmap config ad : backend = ad
>>>> 	idmap config * : range = 60000-61000
>>>> 	idmap_ldb:use rfc2307 = yes
>>>> 	idmap config * : backend = tdb
>>>> 	acl group control = Yes
>>>> 	aio read size = 16384
>>>> 	aio write size = 16384
>>>> 	create mask = 0770
>>>> 	directory mask = 0770
>>>> 	force create mode = 0660
>>>> 	force directory mode = 02770
>>>> 	inherit acls = Yes
>>>> 	inherit owner = windows and unix
>>>> 	inherit permissions = Yes
>>>> 	read only = No
>>>> 	use sendfile = Yes
>>>>
>>>>
>>>> [homes]
>>>> 	comment = ~
>>>> 	volume = nethome
>>>>
>>>>
>>>> [print$]
>>>> 	comment = Druckertreiber Windows
>>>> 	path = /srv/smb/Drucker/
>>>>
>>>>
>>>> [printers]
>>>> 	browseable = No
>>>> 	comment = Drucker
>>>> 	path = /var/spool/samba
>>>> 	printable = Yes
>>>>
>>>>
>>>> [public-graz]
>>>> 	comment = S:
>>>> 	path = /srv/smb
>>>> 	vfs objects = recycle
>>>> 	volume = Graz
>>>> 	recycle:versions = yes
>>>> 	recycle:keeptree = yes
>>
>> I would remove these lines:
>>
>> dns forwarder = 8.8.8.8
>>
>> idmap_ldb:use rfc2307 = yes
>>
>> They only make sense on a DC
>>
>> I would also replace 'kerberos method = system keytab' with 'kerberos 
>> method = secrets and keytab'
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/9f227e24/signature.sig>

More information about the samba mailing list