[Samba] Samba 4.10 member: SMB login no longer working

L.P.H. van Belle belle at bazuin.nl
Wed Jun 26 14:25:33 UTC 2019 

Hai, 

And Omg... Your right, its my fault. :-/ 

I didnt say to you, you needed make the changes, to change what Rowland showed. 
Im really sorry..   ;-) when im in austria i'll buy you a beer. 
Or if you want teach you snowboarding.. I have an other guy in austria that cant ski/board. 
Im going to teach him also. .. So funny a dutch guy teaching to austria guys.. :-) 

And how is it running now, do you notice your network is running better after the big changes? 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
> Schwedas via samba
> Verzonden: woensdag 26 juni 2019 16:02
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working
> 
> On 26.06.19 15:32, L.P.H. van Belle via samba wrote:
> > Sven... 
> > 
> > What did you do.  .. I thought, this was all done/fixed.  ;-) 
> 
> I installed your packages, so naturally everything is your fault. ;)
> 
> Setting
> 
> > kerberos method = secrets and keytab
> 
> as suggested by Rowland did the trick. Guess I was too overzealous in
> trying to merge the servers' different smb.conf files together.
> 
> >> Failed to find 
> >> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab 
> >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> > 
> > You need to add the cifs/spn also to the AD and the keytab. 
> > https://wiki.samba.org/index.php/Generating_Keytabs 
> > 
> > 
> > Greetz, 
> > 
> > Louis
> > 
> > 
> > 
> > 
> > 
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> >> Rowland penny via samba
> >> Verzonden: woensdag 26 juni 2019 15:16
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no 
> longer working
> >>
> >> On 26/06/2019 10:36, Sven Schwedas via samba wrote:
> >>> Overall domain architecture hasn't changed since my spring 
> >> cleanup post
> >>> earlier (I did sort out the krb5 packages and logging 
> >> settings, though).
> >>>
> >>> To start the migration, I figured I'd first update the 
> file servers,
> >>> since they're the least critical component. Upgrade 4.5 ??? 
> >> 4.8, 4.8 ???
> >>> 4.9, 4.9 ??? 4.10 seemed to work fine each step.
> >>>
> >>> However, SMB logins either with smbclient or with Windows, 
> >> Mac clients
> >>> no longer work, generating the following error message:
> >>>
> >>>> [2019/06/26 11:24:13.015993,  3] 
> >> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
> >> s_negprot)
> >>>>    Selected protocol SMB2_10
> >>>> [2019/06/26 11:24:13.021148,  1] 
> >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> >>>>    gss_accept_sec_context failed with [ Miscellaneous 
> >> failure (see text): Failed to find 
> >> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab 
> >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >>>> [2019/06/26 11:24:13.021265,  1] 
> >> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI
> >> nit_step)
> >>>>    gensec_spnego_server_negTokenInit_step: gse_krb5: 
> >> parsing NEG_TOKEN_INIT content failed (next[(null)]): 
> >> NT_STATUS_LOGON_FAILURE
> >>>> [2019/06/26 11:24:13.021469,  3] 
> >> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
> >>>>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: 
> >> idx[1] status[NT_STATUS_LOGON_FAILURE] || at 
> >> ../../source3/smbd/smb2_sesssetup.c:146
> >>>> [2019/06/26 11:24:13.022945,  3] 
> >> ../../source3/smbd/server_exit.c:236(exit_server_common)
> >>>>    Server exit (NT_STATUS_END_OF_FILE)
> >>> wbinfo -t says the domain join is fine, and logins via 
> >> winbind work fine
> >>> too, so I'm not what's causing this error. As far as I can 
> >> see, all the
> >>> login-related smb.conf changes didn't affect us, since we 
> >> were already
> >>> on the backwards compatible defaults.
> >>>
> >>> smb.conf:
> >>>
> >>>> [global]
> >>>> 	deadtime = 15
> >>>> 	dns forwarder = 8.8.8.8
> >>>> 	kerberos method = system keytab
> >>>> 	logging = syslog
> >>>> 	realm = AD.TAO.AT
> >>>> 	security = ADS
> >>>> 	server string = Netzlaufwerke Graz
> >>>> 	template homedir = /home/%U
> >>>> 	template shell = /bin/bash
> >>>> 	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
> >>>> 	winbind use default domain = Yes
> >>>> 	workgroup = AD
> >>>> 	idmap config ad : unix_nss_info = yes
> >>> This was the only change that seemed necessary for a pure 
> >> domain member
> >>> like this.
> >>>
> >>>> 	idmap config ad : schema_mode = rfc2307
> >>>> 	idmap config ad : range = 4500-50000
> >>>> 	idmap config ad : backend = ad
> >>>> 	idmap config * : range = 60000-61000
> >>>> 	idmap_ldb:use rfc2307 = yes
> >>>> 	idmap config * : backend = tdb
> >>>> 	acl group control = Yes
> >>>> 	aio read size = 16384
> >>>> 	aio write size = 16384
> >>>> 	create mask = 0770
> >>>> 	directory mask = 0770
> >>>> 	force create mode = 0660
> >>>> 	force directory mode = 02770
> >>>> 	inherit acls = Yes
> >>>> 	inherit owner = windows and unix
> >>>> 	inherit permissions = Yes
> >>>> 	read only = No
> >>>> 	use sendfile = Yes
> >>>>
> >>>>
> >>>> [homes]
> >>>> 	comment = ~
> >>>> 	volume = nethome
> >>>>
> >>>>
> >>>> [print$]
> >>>> 	comment = Druckertreiber Windows
> >>>> 	path = /srv/smb/Drucker/
> >>>>
> >>>>
> >>>> [printers]
> >>>> 	browseable = No
> >>>> 	comment = Drucker
> >>>> 	path = /var/spool/samba
> >>>> 	printable = Yes
> >>>>
> >>>>
> >>>> [public-graz]
> >>>> 	comment = S:
> >>>> 	path = /srv/smb
> >>>> 	vfs objects = recycle
> >>>> 	volume = Graz
> >>>> 	recycle:versions = yes
> >>>> 	recycle:keeptree = yes
> >>
> >> I would remove these lines:
> >>
> >> dns forwarder = 8.8.8.8
> >>
> >> idmap_ldb:use rfc2307 = yes
> >>
> >> They only make sense on a DC
> >>
> >> I would also replace 'kerberos method = system keytab' 
> with 'kerberos 
> >> method = secrets and keytab'
> >>
> >> Rowland
> >>
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> > 
> > 
> 
> -- 
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas, Systemadministrator
> ??? sven.schwedas at tao.at | ??? +43 680 301 7167
> TAO Digital   | Teil der TAO Beratungs- & Management GmbH
> Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
> A8020 Graz    | https://www.tao-digital.at
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list