[Samba] Samba 4.10 member: SMB login no longer working

Sven Schwedas sven.schwedas at tao.at
Wed Jun 26 14:39:01 UTC 2019


On 26.06.19 16:25, L.P.H. van Belle via samba wrote:
> Hai, 
> 
> And Omg... Your right, its my fault. :-/ 
> 
> I didnt say to you, you needed make the changes, to change what Rowland showed. 
> Im really sorry..   ;-) when im in austria i'll buy you a beer. 
> Or if you want teach you snowboarding.. I have an other guy in austria that cant ski/board. 
> Im going to teach him also. .. So funny a dutch guy teaching to austria guys.. :-) 
> 
> And how is it running now, do you notice your network is running better after the big changes? 

The big change – updating the DCs – hasn't happened just yet, I'm just
testing the waters with the file servers. But having less outages than
before certainly helps already.

> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
>> Schwedas via samba
>> Verzonden: woensdag 26 juni 2019 16:02
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working
>>
>> On 26.06.19 15:32, L.P.H. van Belle via samba wrote:
>>> Sven... 
>>>
>>> What did you do.  .. I thought, this was all done/fixed.  ;-) 
>>
>> I installed your packages, so naturally everything is your fault. ;)
>>
>> Setting
>>
>>> kerberos method = secrets and keytab
>>
>> as suggested by Rowland did the trick. Guess I was too overzealous in
>> trying to merge the servers' different smb.conf files together.
>>
>>>> Failed to find 
>>>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab 
>>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>
>>> You need to add the cifs/spn also to the AD and the keytab. 
>>> https://wiki.samba.org/index.php/Generating_Keytabs 
>>>
>>>
>>> Greetz, 
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>>>> Rowland penny via samba
>>>> Verzonden: woensdag 26 juni 2019 15:16
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no 
>> longer working
>>>>
>>>> On 26/06/2019 10:36, Sven Schwedas via samba wrote:
>>>>> Overall domain architecture hasn't changed since my spring 
>>>> cleanup post
>>>>> earlier (I did sort out the krb5 packages and logging 
>>>> settings, though).
>>>>>
>>>>> To start the migration, I figured I'd first update the 
>> file servers,
>>>>> since they're the least critical component. Upgrade 4.5 ??? 
>>>> 4.8, 4.8 ???
>>>>> 4.9, 4.9 ??? 4.10 seemed to work fine each step.
>>>>>
>>>>> However, SMB logins either with smbclient or with Windows, 
>>>> Mac clients
>>>>> no longer work, generating the following error message:
>>>>>
>>>>>> [2019/06/26 11:24:13.015993,  3] 
>>>> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
>>>> s_negprot)
>>>>>>    Selected protocol SMB2_10
>>>>>> [2019/06/26 11:24:13.021148,  1] 
>>>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>>>>>    gss_accept_sec_context failed with [ Miscellaneous 
>>>> failure (see text): Failed to find 
>>>> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab 
>>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>>>> [2019/06/26 11:24:13.021265,  1] 
>>>> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI
>>>> nit_step)
>>>>>>    gensec_spnego_server_negTokenInit_step: gse_krb5: 
>>>> parsing NEG_TOKEN_INIT content failed (next[(null)]): 
>>>> NT_STATUS_LOGON_FAILURE
>>>>>> [2019/06/26 11:24:13.021469,  3] 
>>>> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex)
>>>>>>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: 
>>>> idx[1] status[NT_STATUS_LOGON_FAILURE] || at 
>>>> ../../source3/smbd/smb2_sesssetup.c:146
>>>>>> [2019/06/26 11:24:13.022945,  3] 
>>>> ../../source3/smbd/server_exit.c:236(exit_server_common)
>>>>>>    Server exit (NT_STATUS_END_OF_FILE)
>>>>> wbinfo -t says the domain join is fine, and logins via 
>>>> winbind work fine
>>>>> too, so I'm not what's causing this error. As far as I can 
>>>> see, all the
>>>>> login-related smb.conf changes didn't affect us, since we 
>>>> were already
>>>>> on the backwards compatible defaults.
>>>>>
>>>>> smb.conf:
>>>>>
>>>>>> [global]
>>>>>> 	deadtime = 15
>>>>>> 	dns forwarder = 8.8.8.8
>>>>>> 	kerberos method = system keytab
>>>>>> 	logging = syslog
>>>>>> 	realm = AD.TAO.AT
>>>>>> 	security = ADS
>>>>>> 	server string = Netzlaufwerke Graz
>>>>>> 	template homedir = /home/%U
>>>>>> 	template shell = /bin/bash
>>>>>> 	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
>>>>>> 	winbind use default domain = Yes
>>>>>> 	workgroup = AD
>>>>>> 	idmap config ad : unix_nss_info = yes
>>>>> This was the only change that seemed necessary for a pure 
>>>> domain member
>>>>> like this.
>>>>>
>>>>>> 	idmap config ad : schema_mode = rfc2307
>>>>>> 	idmap config ad : range = 4500-50000
>>>>>> 	idmap config ad : backend = ad
>>>>>> 	idmap config * : range = 60000-61000
>>>>>> 	idmap_ldb:use rfc2307 = yes
>>>>>> 	idmap config * : backend = tdb
>>>>>> 	acl group control = Yes
>>>>>> 	aio read size = 16384
>>>>>> 	aio write size = 16384
>>>>>> 	create mask = 0770
>>>>>> 	directory mask = 0770
>>>>>> 	force create mode = 0660
>>>>>> 	force directory mode = 02770
>>>>>> 	inherit acls = Yes
>>>>>> 	inherit owner = windows and unix
>>>>>> 	inherit permissions = Yes
>>>>>> 	read only = No
>>>>>> 	use sendfile = Yes
>>>>>>
>>>>>>
>>>>>> [homes]
>>>>>> 	comment = ~
>>>>>> 	volume = nethome
>>>>>>
>>>>>>
>>>>>> [print$]
>>>>>> 	comment = Druckertreiber Windows
>>>>>> 	path = /srv/smb/Drucker/
>>>>>>
>>>>>>
>>>>>> [printers]
>>>>>> 	browseable = No
>>>>>> 	comment = Drucker
>>>>>> 	path = /var/spool/samba
>>>>>> 	printable = Yes
>>>>>>
>>>>>>
>>>>>> [public-graz]
>>>>>> 	comment = S:
>>>>>> 	path = /srv/smb
>>>>>> 	vfs objects = recycle
>>>>>> 	volume = Graz
>>>>>> 	recycle:versions = yes
>>>>>> 	recycle:keeptree = yes
>>>>
>>>> I would remove these lines:
>>>>
>>>> dns forwarder = 8.8.8.8
>>>>
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> They only make sense on a DC
>>>>
>>>> I would also replace 'kerberos method = system keytab' 
>> with 'kerberos 
>>>> method = secrets and keytab'
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>
>>
>> -- 
>> Mit freundlichen Grüßen, / Best Regards,
>> Sven Schwedas, Systemadministrator
>> ??? sven.schwedas at tao.at | ??? +43 680 301 7167
>> TAO Digital   | Teil der TAO Beratungs- & Management GmbH
>> Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
>> A8020 Graz    | https://www.tao-digital.at
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/f5881d53/signature.sig>


More information about the samba mailing list