[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 5 10:30:31 UTC 2019
Hai,
I've re-read you thread, and there are a few things going-on..
I suggest you do the following..
Change these.
/etc/krb5.conf
[libdefaults]
default_realm = DOM.CORP
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
kdc_timesync = 1
debug = false
/etc/samba/smb.conf
[Global]
workgroup = WG1
realm = DOM.CORP
# Netbios names in CAPS, see..
# https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
# https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
# Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names,
# point CNAME to the A record if which the PTR also exists..
netbios name = FS-A
netbios aliases = OLDSAMBA
security = ADS
#
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
ON THIS MEMBER... ( you dont run : samba-tool spn list ..... )
You run : net ads keytab
cp /etc/krb5.keytab{,.backup}
kinit Administrator
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
Verify this keytab.
klist -ke /etc/krb5.keytab2
You want to see :
host/NETBIOSNAME at DOM.CORP ( x5 )
host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
NETBIOSNAME$@DOM.CORP ( x5 )
This you see these.. Then run this to add the cifs keytab.
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
Verify the keytab file again.
klist -ke /etc/krb5.keytab2
If it all looks good.
Stop all samba service
rm /etc/krb5.keytab .. ( a backupfile is made if you followed above )
mv /etc/krb5.keytab2 /etc/krb5.keytab
That "should" do the trick..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> banda bassotti via samba
> Verzonden: dinsdag 5 november 2019 9:49
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> (kvno 109) in keytab
>
> hi, nothing to do, despite having set winbind not to change
> the machine
> password the behavior is the same. I do not know what to do.
> other ideas?
>
> thnx.
>
> Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti <
> bandabasotti at gmail.com> ha scritto:
>
> > Hi, the problem seems to be related to this bug:
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=6750
> >
> > I try therefore to set
> >
> > machine password timeout = 0
> >
> >
> >
> > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba <
> > samba at lists.samba.org> ha scritto:
> >
> >> On 29/10/2019 10:04, banda bassotti wrote:
> >> > I had already done it:
> >> >
> >> > # samba-tool spn list newsamba\$
> >> > newsamba$
> >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
> >> > servicePrincipalName:
> >> > HOST/NEWSAMBA
> >> > HOST/newsamba.domain.corp
> >> > cifs/oldsamba at DOMAIN.CORP
> >> > cifs/oldsamba.domain.corp at DOMAIN.CORP
> >>
> >> From your log fragment, it appears to be looking for
> >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
> probably have to
> >> remove the lowercase version SPN and replace it with the uppercase
> >> version.
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list