[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab

L.P.H. van Belle belle at bazuin.nl
Tue Nov 5 11:40:53 UTC 2019


Ok, you did to much as far i can tell. 
 
You want to see this: i'll show my output, then i is better to see what i mean. 
 
this is where you start with. 
klist -ke |sort  ( default member ) 
---- --------------------------------------------------------------------------
   3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
   3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
   3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
   3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
   3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
   3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
   3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
   3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
   3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
   3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
   3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
   3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
   3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
   3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
   3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
 
In my case. my servers "real" name is hostname1 and i have an alias, lets say mycrazyserver
 
/etc/hosts
127.0.0.1     localhost
192.168.0.1   hostname1.internal.domain.tld hostname1  mycrazyserver.internal.domain.tld
Host format: 
IP	REAL_HOSTNAME_FQDN ALIAS ALIAS 

Note, adding  mycrazyserver.internal.domain.tld should not be needed, because that is resolved through dns. 

ping mycrazyserver.internal.domain.tld will respond its reply with hostname1.internal.domain.tld hostname1 

If you add CIFS to you keytab you want to see : 
   3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
   3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
   3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
   3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
   3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
( + whats above ) 

Thats it.. 

So you output should look like this. 

       7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
       7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
       7 cifs/FS-A at DOM.CORP (arcfour-hmac)
       7 cifs/FS-A at DOM.CORP (des-cbc-crc)
       7 cifs/FS-A at DOM.CORP (des-cbc-md5)
       7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
       7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
       7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
       7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
       7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
       7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
       7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
       7 FS-A$@DOM.CORP (arcfour-hmac)
       7 FS-A$@DOM.CORP (des-cbc-crc)
       7 FS-A$@DOM.CORP (des-cbc-md5)
       7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
       7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong 
       7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 
       7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)	< double = wrong 
       7 host/FS-A at DOM.CORP (arcfour-hmac)
       7 host/FS-A at DOM.CORP (arcfour-hmac) 	< double = wrong 
       7 host/FS-A at DOM.CORP (des-cbc-crc)
       7 host/FS-A at DOM.CORP (des-cbc-crc)	< double = wrong 
       7 host/FS-A at DOM.CORP (des-cbc-md5)
       7 host/FS-A at DOM.CORP (des-cbc-md5)	< double = wrong 
       7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
       7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
       7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
       7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
       7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)


So try again. ;-) 

Greetz, 

Louis

 
 


________________________________

	Van: banda bassotti [mailto:bandabasotti at gmail.com] 
	Verzonden: dinsdag 5 november 2019 12:06
	Aan: L.P.H. van Belle
	CC: samba at lists.samba.org
	Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
	
	
	Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error:
	

	[2019/11/05 11:49:47.748159,  1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
	
	  gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
	

	please pay attention to (kvno 113) the problem is here and not the keytab file.
	

	klist -ke /etc/krb5.keyatb 
	Keytab name: FILE:/etc/krb5.keytab
	KVNO Principal
	---- --------------------------------------------------------------------------
	   7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
	   7 host/FS-A at DOM.CORP (des-cbc-crc)
	   7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
	   7 host/FS-A at DOM.CORP (des-cbc-md5)
	   7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
	   7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
	   7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
	   7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
	   7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
	   7 host/FS-A at DOM.CORP (arcfour-hmac)
	   7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
	   7 cifs/FS-A at DOM.CORP (des-cbc-crc)
	   7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
	   7 cifs/FS-A at DOM.CORP (des-cbc-md5)
	   7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
	   7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
	   7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
	   7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
	   7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
	   7 cifs/FS-A at DOM.CORP (arcfour-hmac)
	   7 FS-A$@DOM.CORP (des-cbc-crc)
	   7 FS-A$@DOM.CORP (des-cbc-md5)
	   7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
	   7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
	   7 FS-A$@DOM.CORP (arcfour-hmac)
	   7 host/FS-A at DOM.CORP (des-cbc-crc)
	   7 host/FS-A at DOM.CORP (des-cbc-md5)
	   7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
	   7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
	   7 host/FS-A at DOM.CORP (arcfour-hmac)
	   7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
	   7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
	   7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
	   7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
	   7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
	   7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
	   7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
	   7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
	   7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
	   7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
	

	to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil:

	# ktutil
	ktutil:  rkt oldsamba.keytab
	ktutil:  l
	slot KVNO Principal
	---- ---- ---------------------------------------------------------------------
	   1  112           cifs/oldsamba at DOM.CORP
	   2  112           cifs/oldsamba at DOM.CORP 
	   3  112           cifs/oldsamba at DOM.CORP 
	   4  113           cifs/oldsamba at DOM.CORP 
	   5  113           cifs/oldsamba at DOM.CORP 
	   6  113           cifs/oldsamba at DOM.CORP 
	

	please note the kvno column.


	Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
	

		Hai, 
		
		I've re-read you thread, and there are a few things going-on.. 
		I suggest you do the following.. 
		
		Change these. 
		
		/etc/krb5.conf
		[libdefaults]
		  default_realm = DOM.CORP
		  dns_lookup_kdc = true
		  dns_lookup_realm = false
		  forwardable = true
		  proxiable = true
		  kdc_timesync = 1
		  debug = false 
		
		
		/etc/samba/smb.conf
		[Global]
		   workgroup = WG1
		   realm = DOM.CORP
		   # Netbios names in CAPS, see.. 
		   # https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
		   # https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and 
		   # Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names, 
		   # point CNAME to the A record if which the PTR also exists..
		   netbios name = FS-A
		   netbios aliases = OLDSAMBA
		   security = ADS
		   # 
		   kerberos method = secrets and keytab
		   dedicated keytab file = /etc/krb5.keytab
		   # renew the kerberos ticket
		   winbind refresh tickets = yes
		
		
		ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) 
		You run : net ads keytab
		
		cp /etc/krb5.keytab{,.backup}
		kinit Administrator
		KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
		
		Verify this keytab.
		klist -ke /etc/krb5.keytab2 
		
		You want to see : 
		host/NETBIOSNAME at DOM.CORP  ( x5 )
		host/fqdn.hostname.dom.tld at DOM.CORP  ( x5 )
		NETBIOSNAME$@DOM.CORP  ( x5 )
		
		This you see these..  Then run this to add the cifs keytab. 
		
		KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld
		KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ 
		
		Verify the keytab file again. 
		klist -ke /etc/krb5.keytab2  
		
		If it all looks good. 
		
		Stop all samba service
		rm /etc/krb5.keytab  .. ( a backupfile is made if you followed above ) 
		mv /etc/krb5.keytab2 /etc/krb5.keytab
		
		
		That "should" do the trick..
		
		
		
		Greetz, 
		
		Louis
		
		
		
		
		> -----Oorspronkelijk bericht-----
		> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
		> banda bassotti via samba
		> Verzonden: dinsdag 5 november 2019 9:49
		> Aan: Rowland penny
		> CC: sambalist
		> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp 
		> (kvno 109) in keytab
		> 
		> hi, nothing to do, despite having set winbind not to change 
		> the machine
		> password the behavior is the same. I do not know what to do. 
		> other ideas?
		> 
		> thnx.
		> 
		> Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti <
		> bandabasotti at gmail.com> ha scritto:
		> 
		> > Hi, the problem seems to be related to this bug:
		> >
		> >   https://bugzilla.samba.org/show_bug.cgi?id=6750
		> >
		> > I try therefore to set
		> >
		> >   machine password timeout = 0
		> >
		> >
		> >
		> > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba <
		> > samba at lists.samba.org> ha scritto:
		> >
		> >> On 29/10/2019 10:04, banda bassotti wrote:
		> >> > I had already done it:
		> >> >
		> >> > # samba-tool spn list newsamba\$
		> >> > newsamba$
		> >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
		> >> > servicePrincipalName:
		> >> >          HOST/NEWSAMBA
		> >> >          HOST/newsamba.domain.corp
		> >> >          cifs/oldsamba at DOMAIN.CORP
		> >> >          cifs/oldsamba.domain.corp at DOMAIN.CORP
		> >>
		> >>  From your log fragment, it appears to be looking for
		> >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will 
		> probably have to
		> >> remove the lowercase version SPN and replace it with the uppercase
		> >> version.
		> >>
		> >> Rowland
		> >>
		> >>
		> >>
		> >> --
		> >> To unsubscribe from this list go to the following URL and read the
		> >> instructions:  https://lists.samba.org/mailman/options/samba
		> >>
		> >
		> -- 
		> To unsubscribe from this list go to the following URL and read the
		> instructions:  https://lists.samba.org/mailman/options/samba
		> 
		> 
		
		





More information about the samba mailing list