[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
banda bassotti
bandabasotti at gmail.com
Tue Nov 5 12:17:52 UTC 2019
Luis, ok I'v removed everything, step 1:
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
klist -ke /etc/krb5.keytab2|grep 7|sort
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
step2:
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
cifs/oldsamba.dom.corp at DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
cifs/oldsamba at DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
cifs/oldsamba$@DOM.CORP
klist
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
systemctl start nmbd smbd winbind
test from windows machine:
[2019/11/05 13:14:49.108879, 1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <belle at bazuin.nl>
ha scritto:
> Ok, you did to much as far i can tell.
>
> You want to see this: i'll show my output, then i is better to see what i
> mean.
>
> this is where you start with.
> klist -ke |sort ( default member )
> ----
> --------------------------------------------------------------------------
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
>
> In my case. my servers "real" name is hostname1 and i have an alias, lets
> say mycrazyserver
>
> /etc/hosts
> 127.0.0.1 localhost
> 192.168.0.1 hostname1.internal.domain.tld hostname1
> mycrazyserver.internal.domain.tld
> Host format:
> IP REAL_HOSTNAME_FQDN ALIAS ALIAS
>
> Note, adding mycrazyserver.internal.domain.tld should not be needed,
> because that is resolved through dns.
>
> ping mycrazyserver.internal.domain.tld will respond its reply with
> hostname1.internal.domain.tld hostname1
>
> If you add CIFS to you keytab you want to see :
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
> ( + whats above )
>
> Thats it..
>
> So you output should look like this.
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
> So try again. ;-)
>
> Greetz,
>
> Louis
>
>
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:bandabasotti at gmail.com]
> Verzonden: dinsdag 5 november 2019 12:06
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> (kvno 109) in keytab
>
>
> Luis, thank you very much, I followed the procedure step by step
> (which I had already done) but unfortunately I always have the same error:
>
>
> [2019/11/05 11:49:47.748159, 1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>
> gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
>
> please pay attention to (kvno 113) the problem is here and not the
> keytab file.
>
>
> klist -ke /etc/krb5.keyatb
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>
>
> to temporary solve this problem I must extract the keytab of the
> oldsamba from the domain controller and import with ktutil:
>
> # ktutil
> ktutil: rkt oldsamba.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 112 cifs/oldsamba at DOM.CORP
> 2 112 cifs/oldsamba at DOM.CORP
> 3 112 cifs/oldsamba at DOM.CORP
> 4 113 cifs/oldsamba at DOM.CORP
> 5 113 cifs/oldsamba at DOM.CORP
> 6 113 cifs/oldsamba at DOM.CORP
>
>
> please note the kvno column.
>
>
> Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <
> belle at bazuin.nl> ha scritto:
>
>
> Hai,
>
> I've re-read you thread, and there are a few things
> going-on..
> I suggest you do the following..
>
> Change these.
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = DOM.CORP
> dns_lookup_kdc = true
> dns_lookup_realm = false
> forwardable = true
> proxiable = true
> kdc_timesync = 1
> debug = false
>
>
> /etc/samba/smb.conf
> [Global]
> workgroup = WG1
> realm = DOM.CORP
> # Netbios names in CAPS, see..
> #
> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
> #
> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
> # Verify in DNS the following, A - PTR records for
> netbios name, setup CNAME for all alias-names,
> # point CNAME to the A record if which the PTR also
> exists..
> netbios name = FS-A
> netbios aliases = OLDSAMBA
> security = ADS
> #
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
>
> ON THIS MEMBER... ( you dont run : samba-tool spn list
> ..... )
> You run : net ads keytab
>
> cp /etc/krb5.keytab{,.backup}
> kinit Administrator
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>
> Verify this keytab.
> klist -ke /etc/krb5.keytab2
>
> You want to see :
> host/NETBIOSNAME at DOM.CORP ( x5 )
> host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
> NETBIOSNAME$@DOM.CORP ( x5 )
>
> This you see these.. Then run this to add the cifs
> keytab.
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/fs-a.yourdns.domain.tld
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/FS-A$
>
> Verify the keytab file again.
> klist -ke /etc/krb5.keytab2
>
> If it all looks good.
>
> Stop all samba service
> rm /etc/krb5.keytab .. ( a backupfile is made if you
> followed above )
> mv /etc/krb5.keytab2 /etc/krb5.keytab
>
>
> That "should" do the trick..
>
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org]
> Namens
> > banda bassotti via samba
> > Verzonden: dinsdag 5 november 2019 9:49
> > Aan: Rowland penny
> > CC: sambalist
> > Onderwerp: Re: [Samba] Failed to find
> cifs/fs-share at dom.corp
> > (kvno 109) in keytab
> >
> > hi, nothing to do, despite having set winbind not to
> change
> > the machine
> > password the behavior is the same. I do not know what to
> do.
> > other ideas?
> >
> > thnx.
> >
> > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti <
> > bandabasotti at gmail.com> ha scritto:
> >
> > > Hi, the problem seems to be related to this bug:
> > >
> > > https://bugzilla.samba.org/show_bug.cgi?id=6750
> > >
> > > I try therefore to set
> > >
> > > machine password timeout = 0
> > >
> > >
> > >
> > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny
> via samba <
> > > samba at lists.samba.org> ha scritto:
> > >
> > >> On 29/10/2019 10:04, banda bassotti wrote:
> > >> > I had already done it:
> > >> >
> > >> > # samba-tool spn list newsamba\$
> > >> > newsamba$
> > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has
> the following
> > >> > servicePrincipalName:
> > >> > HOST/NEWSAMBA
> > >> > HOST/newsamba.domain.corp
> > >> > cifs/oldsamba at DOMAIN.CORP
> > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP
> > >>
> > >> From your log fragment, it appears to be looking for
> > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You
> will
> > probably have to
> > >> remove the lowercase version SPN and replace it with
> the uppercase
> > >> version.
> > >>
> > >> Rowland
> > >>
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL
> and read the
> > >> instructions:
> https://lists.samba.org/mailman/options/samba
> > >>
> > >
> > --
> > To unsubscribe from this list go to the following URL
> and read the
> > instructions:
> https://lists.samba.org/mailman/options/samba
> >
> >
>
>
>
>
>
More information about the samba
mailing list