[Samba] Samba 4.10 member: SMB login no longer working
Sven Schwedas
sven.schwedas at tao.at
Wed Jun 26 14:39:01 UTC 2019
On 26.06.19 16:25, L.P.H. van Belle via samba wrote:
> Hai,
>
> And Omg... Your right, its my fault. :-/
>
> I didnt say to you, you needed make the changes, to change what Rowland showed.
> Im really sorry.. ;-) when im in austria i'll buy you a beer.
> Or if you want teach you snowboarding.. I have an other guy in austria that cant ski/board.
> Im going to teach him also. .. So funny a dutch guy teaching to austria guys.. :-)
>
> And how is it running now, do you notice your network is running better after the big changes?
The big change – updating the DCs – hasn't happened just yet, I'm just
testing the waters with the file servers. But having less outages than
before certainly helps already.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven
>> Schwedas via samba
>> Verzonden: woensdag 26 juni 2019 16:02
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working
>>
>> On 26.06.19 15:32, L.P.H. van Belle via samba wrote:
>>> Sven...
>>>
>>> What did you do. .. I thought, this was all done/fixed. ;-)
>>
>> I installed your packages, so naturally everything is your fault. ;)
>>
>> Setting
>>
>>> kerberos method = secrets and keytab
>>
>> as suggested by Rowland did the trick. Guess I was too overzealous in
>> trying to merge the servers' different smb.conf files together.
>>
>>>> Failed to find
>>>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab
>>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>
>>> You need to add the cifs/spn also to the AD and the keytab.
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Rowland penny via samba
>>>> Verzonden: woensdag 26 juni 2019 15:16
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no
>> longer working
>>>>
>>>> On 26/06/2019 10:36, Sven Schwedas via samba wrote:
>>>>> Overall domain architecture hasn't changed since my spring
>>>> cleanup post
>>>>> earlier (I did sort out the krb5 packages and logging
>>>> settings, though).
>>>>>
>>>>> To start the migration, I figured I'd first update the
>> file servers,
>>>>> since they're the least critical component. Upgrade 4.5 ???
>>>> 4.8, 4.8 ???
>>>>> 4.9, 4.9 ??? 4.10 seemed to work fine each step.
>>>>>
>>>>> However, SMB logins either with smbclient or with Windows,
>>>> Mac clients
>>>>> no longer work, generating the following error message:
>>>>>
>>>>>> [2019/06/26 11:24:13.015993, 3]
>>>> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
>>>> s_negprot)
>>>>>> Selected protocol SMB2_10
>>>>>> [2019/06/26 11:24:13.021148, 1]
>>>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>>>>> gss_accept_sec_context failed with [ Miscellaneous
>>>> failure (see text): Failed to find
>>>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab
>>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>>>> [2019/06/26 11:24:13.021265, 1]
>>>> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI
>>>> nit_step)
>>>>>> gensec_spnego_server_negTokenInit_step: gse_krb5:
>>>> parsing NEG_TOKEN_INIT content failed (next[(null)]):
>>>> NT_STATUS_LOGON_FAILURE
>>>>>> [2019/06/26 11:24:13.021469, 3]
>>>> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
>>>>>> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
>>>> idx[1] status[NT_STATUS_LOGON_FAILURE] || at
>>>> ../../source3/smbd/smb2_sesssetup.c:146
>>>>>> [2019/06/26 11:24:13.022945, 3]
>>>> ../../source3/smbd/server_exit.c:236(exit_server_common)
>>>>>> Server exit (NT_STATUS_END_OF_FILE)
>>>>> wbinfo -t says the domain join is fine, and logins via
>>>> winbind work fine
>>>>> too, so I'm not what's causing this error. As far as I can
>>>> see, all the
>>>>> login-related smb.conf changes didn't affect us, since we
>>>> were already
>>>>> on the backwards compatible defaults.
>>>>>
>>>>> smb.conf:
>>>>>
>>>>>> [global]
>>>>>> deadtime = 15
>>>>>> dns forwarder = 8.8.8.8
>>>>>> kerberos method = system keytab
>>>>>> logging = syslog
>>>>>> realm = AD.TAO.AT
>>>>>> security = ADS
>>>>>> server string = Netzlaufwerke Graz
>>>>>> template homedir = /home/%U
>>>>>> template shell = /bin/bash
>>>>>> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
>>>>>> winbind use default domain = Yes
>>>>>> workgroup = AD
>>>>>> idmap config ad : unix_nss_info = yes
>>>>> This was the only change that seemed necessary for a pure
>>>> domain member
>>>>> like this.
>>>>>
>>>>>> idmap config ad : schema_mode = rfc2307
>>>>>> idmap config ad : range = 4500-50000
>>>>>> idmap config ad : backend = ad
>>>>>> idmap config * : range = 60000-61000
>>>>>> idmap_ldb:use rfc2307 = yes
>>>>>> idmap config * : backend = tdb
>>>>>> acl group control = Yes
>>>>>> aio read size = 16384
>>>>>> aio write size = 16384
>>>>>> create mask = 0770
>>>>>> directory mask = 0770
>>>>>> force create mode = 0660
>>>>>> force directory mode = 02770
>>>>>> inherit acls = Yes
>>>>>> inherit owner = windows and unix
>>>>>> inherit permissions = Yes
>>>>>> read only = No
>>>>>> use sendfile = Yes
>>>>>>
>>>>>>
>>>>>> [homes]
>>>>>> comment = ~
>>>>>> volume = nethome
>>>>>>
>>>>>>
>>>>>> [print$]
>>>>>> comment = Druckertreiber Windows
>>>>>> path = /srv/smb/Drucker/
>>>>>>
>>>>>>
>>>>>> [printers]
>>>>>> browseable = No
>>>>>> comment = Drucker
>>>>>> path = /var/spool/samba
>>>>>> printable = Yes
>>>>>>
>>>>>>
>>>>>> [public-graz]
>>>>>> comment = S:
>>>>>> path = /srv/smb
>>>>>> vfs objects = recycle
>>>>>> volume = Graz
>>>>>> recycle:versions = yes
>>>>>> recycle:keeptree = yes
>>>>
>>>> I would remove these lines:
>>>>
>>>> dns forwarder = 8.8.8.8
>>>>
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> They only make sense on a DC
>>>>
>>>> I would also replace 'kerberos method = system keytab'
>> with 'kerberos
>>>> method = secrets and keytab'
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>
>>
>> --
>> Mit freundlichen Grüßen, / Best Regards,
>> Sven Schwedas, Systemadministrator
>> ??? sven.schwedas at tao.at | ??? +43 680 301 7167
>> TAO Digital | Teil der TAO Beratungs- & Management GmbH
>> Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach
>> A8020 Graz | https://www.tao-digital.at
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz | https://www.tao-digital.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/f5881d53/signature.sig>
More information about the samba
mailing list