[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 5 11:40:53 UTC 2019
Ok, you did to much as far i can tell.
You want to see this: i'll show my output, then i is better to see what i mean.
this is where you start with.
klist -ke |sort ( default member )
---- --------------------------------------------------------------------------
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
In my case. my servers "real" name is hostname1 and i have an alias, lets say mycrazyserver
/etc/hosts
127.0.0.1 localhost
192.168.0.1 hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld
Host format:
IP REAL_HOSTNAME_FQDN ALIAS ALIAS
Note, adding mycrazyserver.internal.domain.tld should not be needed, because that is resolved through dns.
ping mycrazyserver.internal.domain.tld will respond its reply with hostname1.internal.domain.tld hostname1
If you add CIFS to you keytab you want to see :
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
( + whats above )
Thats it..
So you output should look like this.
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
So try again. ;-)
Greetz,
Louis
________________________________
Van: banda bassotti [mailto:bandabasotti at gmail.com]
Verzonden: dinsdag 5 november 2019 12:06
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error:
[2019/11/05 11:49:47.748159, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
please pay attention to (kvno 113) the problem is here and not the keytab file.
klist -ke /etc/krb5.keyatb
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil:
# ktutil
ktutil: rkt oldsamba.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 112 cifs/oldsamba at DOM.CORP
2 112 cifs/oldsamba at DOM.CORP
3 112 cifs/oldsamba at DOM.CORP
4 113 cifs/oldsamba at DOM.CORP
5 113 cifs/oldsamba at DOM.CORP
6 113 cifs/oldsamba at DOM.CORP
please note the kvno column.
Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
Hai,
I've re-read you thread, and there are a few things going-on..
I suggest you do the following..
Change these.
/etc/krb5.conf
[libdefaults]
default_realm = DOM.CORP
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
kdc_timesync = 1
debug = false
/etc/samba/smb.conf
[Global]
workgroup = WG1
realm = DOM.CORP
# Netbios names in CAPS, see..
# https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
# https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
# Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names,
# point CNAME to the A record if which the PTR also exists..
netbios name = FS-A
netbios aliases = OLDSAMBA
security = ADS
#
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
ON THIS MEMBER... ( you dont run : samba-tool spn list ..... )
You run : net ads keytab
cp /etc/krb5.keytab{,.backup}
kinit Administrator
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
Verify this keytab.
klist -ke /etc/krb5.keytab2
You want to see :
host/NETBIOSNAME at DOM.CORP ( x5 )
host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
NETBIOSNAME$@DOM.CORP ( x5 )
This you see these.. Then run this to add the cifs keytab.
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
Verify the keytab file again.
klist -ke /etc/krb5.keytab2
If it all looks good.
Stop all samba service
rm /etc/krb5.keytab .. ( a backupfile is made if you followed above )
mv /etc/krb5.keytab2 /etc/krb5.keytab
That "should" do the trick..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> banda bassotti via samba
> Verzonden: dinsdag 5 november 2019 9:49
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> (kvno 109) in keytab
>
> hi, nothing to do, despite having set winbind not to change
> the machine
> password the behavior is the same. I do not know what to do.
> other ideas?
>
> thnx.
>
> Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti <
> bandabasotti at gmail.com> ha scritto:
>
> > Hi, the problem seems to be related to this bug:
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=6750
> >
> > I try therefore to set
> >
> > machine password timeout = 0
> >
> >
> >
> > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba <
> > samba at lists.samba.org> ha scritto:
> >
> >> On 29/10/2019 10:04, banda bassotti wrote:
> >> > I had already done it:
> >> >
> >> > # samba-tool spn list newsamba\$
> >> > newsamba$
> >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
> >> > servicePrincipalName:
> >> > HOST/NEWSAMBA
> >> > HOST/newsamba.domain.corp
> >> > cifs/oldsamba at DOMAIN.CORP
> >> > cifs/oldsamba.domain.corp at DOMAIN.CORP
> >>
> >> From your log fragment, it appears to be looking for
> >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
> probably have to
> >> remove the lowercase version SPN and replace it with the uppercase
> >> version.
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list