[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab

banda bassotti bandabasotti at gmail.com
Tue Nov 5 13:49:24 UTC 2019


systemctl stop nmbd smbd winbind
rm -f /etc/krb5.keyatb*
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
net ads keytab create cifs/$(hostname -f)
klist -ke /etc/krb5.keytab | sort
----
--------------------------------------------------------------------------
   7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
   7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
   7 cifs/FS-A at DOM.CORP (arcfour-hmac)
   7 cifs/FS-A at DOM.CORP (des-cbc-crc)
   7 cifs/FS-A at DOM.CORP (des-cbc-md5)
   7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
   7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
   7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
   7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
   7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
   7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
   7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
   7 FS-A$@DOM.CORP (arcfour-hmac)
   7 FS-A$@DOM.CORP (des-cbc-crc)
   7 FS-A$@DOM.CORP (des-cbc-md5)
   7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
   7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
   7 host/FS-A at DOM.CORP (arcfour-hmac)
   7 host/FS-A at DOM.CORP (des-cbc-crc)
   7 host/FS-A at DOM.CORP (des-cbc-md5)
   7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
   7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
   7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
   7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
   7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

systemctl start nmbd smbd winbind

# host oldsamba
oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
fs-a.dom.corp has address 10.0.0.2

$ kinit testuser
$ smbclient //oldsamba/testuser -k -c 'ls'
Unable to initialize messaging context
session setup failed: NT_STATUS_LOGON_FAILURE

[2019/11/05 14:32:18.863122,  1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
  gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
[2019/11/05 14:32:18.863192,  1]
../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
  gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT
content failed (next[(null)]): NT_STATUS_LOGON_FAILURE

attached the samba-debug-info.txt

Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <belle at bazuin.nl>
ha scritto:

> Hai,
>
> Nope.. To much again ;-)
>
> This is one step to much:
> step2:
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba.dom.corp at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba$@DOM.CORP
>
> And why are you adding @REALM .. Do it exactly as shown below.
>
> Because a CNAME resolves to the REAL hostname it's A record, then Kerberos
> used the A of the real hostname and (might) verify the PTR also.
>
> So again and exactly as show, because your "Default realm" is used
> automaticly.
>
> kinit Administrator
> *(you see here:  Password for Administrator at REALM: )
>
> stop samba and related services.
>
> rm /etc/krb5.keytab2
> rm /etc/krb5.keytab
>
> # i change the keytab to the needed name (/etc/krb5.keytab)
> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>
> net ads keytab create cifs/$(hostname -f)
>
> Verify the output.
> klist -ke /etc/krb5.keytab | sort
>
> If you see the ALIAS hostname "oldsamba" again in the keytab file.
> Then removed from smb.conf :
>
> netbios aliases = OLDSAMBA
>
> Verify the DNS and make sure your realhostname does have the A and PTR
> records set.
> And remove all A/PTR related records to OLDSAMBA.
> Add the CNAME for OLDSAMBA and point to the realhostname.
>
> Restart samba, repeat above.
>
> Still failing..
> Then get this script:
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> Run it, anonymize it and post the output.
>
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
>         Van: banda bassotti [mailto:bandabasotti at gmail.com]
>         Verzonden: dinsdag 5 november 2019 13:18
>         Aan: L.P.H. van Belle
>         CC: samba at lists.samba.org
>         Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> (kvno 109) in keytab
>
>
>         Luis,  ok I'v removed everything, step 1:
>
>         KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>
>         klist -ke /etc/krb5.keytab2|grep 7|sort
>
>
>            7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>            7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>            7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>            7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>            7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 FS-A$@DOM.CORP (arcfour-hmac)
>            7 FS-A$@DOM.CORP (des-cbc-crc)
>            7 FS-A$@DOM.CORP (des-cbc-md5)
>            7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 host/FS-A at DOM.CORP (arcfour-hmac)
>            7 host/FS-A at DOM.CORP (des-cbc-crc)
>            7 host/FS-A at DOM.CORP (des-cbc-md5)
>            7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
>
>         step2:
>         # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba.dom.corp at DOM.CORP
>         # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba at DOM.CORP
>         # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba$@DOM.CORP
>
>
>         klist
>
>            7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>            7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>            7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>            7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>            7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
>            7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
>            7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
>            7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>            7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>            7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>            7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>            7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>            7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>            7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 FS-A$@DOM.CORP (arcfour-hmac)
>            7 FS-A$@DOM.CORP (des-cbc-crc)
>            7 FS-A$@DOM.CORP (des-cbc-md5)
>            7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 host/FS-A at DOM.CORP (arcfour-hmac)
>            7 host/FS-A at DOM.CORP (des-cbc-crc)
>            7 host/FS-A at DOM.CORP (des-cbc-md5)
>            7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>            7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>            7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
>         systemctl start nmbd smbd winbind
>
>         test from windows machine:
>
>         [2019/11/05 13:14:49.108879,  1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>           gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
>
>         Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <
> belle at bazuin.nl> ha scritto:
>
>
>                 Ok, you did to much as far i can tell.
>
>                 You want to see this: i'll show my output, then i is
> better to see what i mean.
>
>                 this is where you start with.
>                 klist -ke |sort  ( default member )
>                 ----
> --------------------------------------------------------------------------
>                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
>                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
>                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
>                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
>                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
>                    3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
>                    3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
>                    3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (arcfour-hmac)
>                    3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (des-cbc-crc)
>                    3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (des-cbc-md5)
>                    3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>                    3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>                    3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
>                    3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
>                    3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
>
>                 In my case. my servers "real" name is hostname1 and i have
> an alias, lets say mycrazyserver
>
>                 /etc/hosts
>                 127.0.0.1     localhost
>                 192.168.0.1   hostname1.internal.domain.tld hostname1
> mycrazyserver.internal.domain.tld
>                 Host format:
>                 IP      REAL_HOSTNAME_FQDN ALIAS ALIAS
>
>                 Note, adding  mycrazyserver.internal.domain.tld should not
> be needed, because that is resolved through dns.
>
>                 ping mycrazyserver.internal.domain.tld will respond its
> reply with hostname1.internal.domain.tld hostname1
>
>                 If you add CIFS to you keytab you want to see :
>                    3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
>                    3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
>                    3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (arcfour-hmac)
>                    3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (des-cbc-crc)
>                    3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (des-cbc-md5)
>                 ( + whats above )
>
>                 Thats it..
>
>                 So you output should look like this.
>
>                        7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>                        7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>                        7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>                        7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>                        7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>                        7 cifs/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
>                        7 cifs/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
>                        7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>                        7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>                        7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>                        7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>                        7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>                        7 FS-A$@DOM.CORP (arcfour-hmac)
>                        7 FS-A$@DOM.CORP (des-cbc-crc)
>                        7 FS-A$@DOM.CORP (des-cbc-md5)
>                        7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>                        7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) <
> double = wrong
>                        7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>                        7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)   <
> double = wrong
>                        7 host/FS-A at DOM.CORP (arcfour-hmac)
>                        7 host/FS-A at DOM.CORP (arcfour-hmac)      < double
> = wrong
>                        7 host/FS-A at DOM.CORP (des-cbc-crc)
>                        7 host/FS-A at DOM.CORP (des-cbc-crc)       < double
> = wrong
>                        7 host/FS-A at DOM.CORP (des-cbc-md5)
>                        7 host/FS-A at DOM.CORP (des-cbc-md5)       < double
> = wrong
>                        7 host/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
>                        7 host/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
>                        7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>                        7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>                        7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
>                 So try again. ;-)
>
>                 Greetz,
>
>                 Louis
>
>
>
>
>
>                 ________________________________
>
>                         Van: banda bassotti [mailto:bandabasotti at gmail.com]
>
>                         Verzonden: dinsdag 5 november 2019 12:06
>                         Aan: L.P.H. van Belle
>                         CC: samba at lists.samba.org
>                         Onderwerp: Re: [Samba] Failed to find
> cifs/fs-share at dom.corp (kvno 109) in keytab
>
>
>                         Luis, thank you very much, I followed the
> procedure step by step (which I had already done) but unfortunately I
> always have the same error:
>
>
>                         [2019/11/05 11:49:47.748159,  1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>
>                           gss_accept_sec_context failed with [
> Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno
> 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
>
>                         please pay attention to (kvno 113) the problem is
> here and not the keytab file.
>
>
>                         klist -ke /etc/krb5.keyatb
>                         Keytab name: FILE:/etc/krb5.keytab
>                         KVNO Principal
>                         ----
> --------------------------------------------------------------------------
>                            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>                            7 host/FS-A at DOM.CORP (des-cbc-crc)
>                            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>                            7 host/FS-A at DOM.CORP (des-cbc-md5)
>                            7 host/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
>                            7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>                            7 host/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
>                            7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>                            7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>                            7 host/FS-A at DOM.CORP (arcfour-hmac)
>                            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>                            7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>                            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>                            7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>                            7 cifs/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
>                            7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>                            7 cifs/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
>                            7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>                            7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>                            7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>                            7 FS-A$@DOM.CORP (des-cbc-crc)
>                            7 FS-A$@DOM.CORP (des-cbc-md5)
>                            7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>                            7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>                            7 FS-A$@DOM.CORP (arcfour-hmac)
>                            7 host/FS-A at DOM.CORP (des-cbc-crc)
>                            7 host/FS-A at DOM.CORP (des-cbc-md5)
>                            7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>                            7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>                            7 host/FS-A at DOM.CORP (arcfour-hmac)
>                            7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>                            7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>                            7 cifs/oldsamba at DOM.CORP
> (aes128-cts-hmac-sha1-96)
>                            7 cifs/oldsamba at DOM.CORP
> (aes256-cts-hmac-sha1-96)
>                            7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>                            7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>                            7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>                            7 cifs/oldsamba at DOM.CORP
> (aes128-cts-hmac-sha1-96)
>                            7 cifs/oldsamba at DOM.CORP
> (aes256-cts-hmac-sha1-96)
>                            7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>
>
>                         to temporary solve this problem I must extract the
> keytab of the oldsamba from the domain controller and import with ktutil:
>
>                         # ktutil
>                         ktutil:  rkt oldsamba.keytab
>                         ktutil:  l
>                         slot KVNO Principal
>                         ---- ----
> ---------------------------------------------------------------------
>                            1  112           cifs/oldsamba at DOM.CORP
>                            2  112           cifs/oldsamba at DOM.CORP
>                            3  112           cifs/oldsamba at DOM.CORP
>                            4  113           cifs/oldsamba at DOM.CORP
>                            5  113           cifs/oldsamba at DOM.CORP
>                            6  113           cifs/oldsamba at DOM.CORP
>
>
>                         please note the kvno column.
>
>
>                         Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van
> Belle <belle at bazuin.nl> ha scritto:
>
>
>                                 Hai,
>
>                                 I've re-read you thread, and there are a
> few things going-on..
>                                 I suggest you do the following..
>
>                                 Change these.
>
>                                 /etc/krb5.conf
>                                 [libdefaults]
>                                   default_realm = DOM.CORP
>                                   dns_lookup_kdc = true
>                                   dns_lookup_realm = false
>                                   forwardable = true
>                                   proxiable = true
>                                   kdc_timesync = 1
>                                   debug = false
>
>
>                                 /etc/samba/smb.conf
>                                 [Global]
>                                    workgroup = WG1
>                                    realm = DOM.CORP
>                                    # Netbios names in CAPS, see..
>                                    #
> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
>                                    #
> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
>                                    # Verify in DNS the following, A - PTR
> records for netbios name, setup CNAME for all alias-names,
>                                    # point CNAME to the A record if which
> the PTR also exists..
>                                    netbios name = FS-A
>                                    netbios aliases = OLDSAMBA
>                                    security = ADS
>                                    #
>                                    kerberos method = secrets and keytab
>                                    dedicated keytab file = /etc/krb5.keytab
>                                    # renew the kerberos ticket
>                                    winbind refresh tickets = yes
>
>
>                                 ON THIS MEMBER... ( you dont run :
> samba-tool spn list ..... )
>                                 You run : net ads keytab
>
>                                 cp /etc/krb5.keytab{,.backup}
>                                 kinit Administrator
>                                 KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab CREATE -P
>
>                                 Verify this keytab.
>                                 klist -ke /etc/krb5.keytab2
>
>                                 You want to see :
>                                 host/NETBIOSNAME at DOM.CORP  ( x5 )
>                                 host/fqdn.hostname.dom.tld at DOM.CORP  ( x5
> )
>                                 NETBIOSNAME$@DOM.CORP  ( x5 )
>
>                                 This you see these..  Then run this to add
> the cifs keytab.
>
>                                 KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab ADD cifs/fs-a.yourdns.domain.tld
>                                 KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab ADD cifs/FS-A$
>
>                                 Verify the keytab file again.
>                                 klist -ke /etc/krb5.keytab2
>
>                                 If it all looks good.
>
>                                 Stop all samba service
>                                 rm /etc/krb5.keytab  .. ( a backupfile is
> made if you followed above )
>                                 mv /etc/krb5.keytab2 /etc/krb5.keytab
>
>
>                                 That "should" do the trick..
>
>
>
>                                 Greetz,
>
>                                 Louis
>
>
>
>
>                                 > -----Oorspronkelijk bericht-----
>                                 > Van: samba [mailto:
> samba-bounces at lists.samba.org] Namens
>                                 > banda bassotti via samba
>                                 > Verzonden: dinsdag 5 november 2019 9:49
>                                 > Aan: Rowland penny
>                                 > CC: sambalist
>                                 > Onderwerp: Re: [Samba] Failed to find
> cifs/fs-share at dom.corp
>                                 > (kvno 109) in keytab
>                                 >
>                                 > hi, nothing to do, despite having set
> winbind not to change
>                                 > the machine
>                                 > password the behavior is the same. I do
> not know what to do.
>                                 > other ideas?
>                                 >
>                                 > thnx.
>                                 >
>                                 > Il giorno mar 29 ott 2019 alle ore 11:37
> banda bassotti <
>                                 > bandabasotti at gmail.com> ha scritto:
>                                 >
>                                 > > Hi, the problem seems to be related to
> this bug:
>                                 > >
>                                 > >
> https://bugzilla.samba.org/show_bug.cgi?id=6750
>                                 > >
>                                 > > I try therefore to set
>                                 > >
>                                 > >   machine password timeout = 0
>                                 > >
>                                 > >
>                                 > >
>                                 > > Il giorno mar 29 ott 2019 alle ore
> 11:11 Rowland penny via samba <
>                                 > > samba at lists.samba.org> ha scritto:
>                                 > >
>                                 > >> On 29/10/2019 10:04, banda bassotti
> wrote:
>                                 > >> > I had already done it:
>                                 > >> >
>                                 > >> > # samba-tool spn list newsamba\$
>                                 > >> > newsamba$
>                                 > >> > User
> CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
>                                 > >> > servicePrincipalName:
>                                 > >> >          HOST/NEWSAMBA
>                                 > >> >          HOST/newsamba.domain.corp
>                                 > >> >          cifs/oldsamba at DOMAIN.CORP
>                                 > >> >
> cifs/oldsamba.domain.corp at DOMAIN.CORP
>                                 > >>
>                                 > >>  From your log fragment, it appears
> to be looking for
>                                 > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the
> case matters. You will
>                                 > probably have to
>                                 > >> remove the lowercase version SPN and
> replace it with the uppercase
>                                 > >> version.
>                                 > >>
>                                 > >> Rowland
>                                 > >>
>                                 > >>
>                                 > >>
>                                 > >> --
>                                 > >> To unsubscribe from this list go to
> the following URL and read the
>                                 > >> instructions:
> https://lists.samba.org/mailman/options/samba
>                                 > >>
>                                 > >
>                                 > --
>                                 > To unsubscribe from this list go to the
> following URL and read the
>                                 > instructions:
> https://lists.samba.org/mailman/options/samba
>                                 >
>                                 >
>
>
>
>
>
>
>
>
-------------- next part --------------
Collected config  --- 2019-11-05-14:41 -----------

Hostname: fs-a
DNS Domain: dom.corp
FQDN: fs-a.dom.corp
ipaddress: 10.0.0.2 

-----------

Kerberos SRV _kerberos._tcp.dom.corp record verified ok, sample output: 
_kerberos._tcp.dom.corp has SRV record 0 100 88 ucsdc.dom.corp.
_kerberos._tcp.dom.corp has SRV record 0 100 88 ucs-gozzi-sl1.dom.corp.
Samba is running as a Unix domain member

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

-----------


This computer is running Debian 10.1 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b2:1b:04:2a:5f:7d brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.2/24 brd 10.10.21.255 scope global ens18
    inet6 fe80::b01b:4ff:fe2a:5f7d/64 scope link 
3: ens19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 5a:dc:b7:6c:14:3c brd ff:ff:ff:ff:ff:ff

-----------
       Checking file: /etc/hosts

127.0.0.1	localhost
10.0.0.2	fs-a.dom.corp	fs-a oldsamba

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

       Checking file: /etc/resolv.conf

search dom.corp
nameserver 10.10.21.25
nameserver 10.10.20.87

-----------

       Checking file: /etc/krb5.conf

[libdefaults]
  default_realm = DOM.CORP
  dns_lookup_realm = false
  dns_lookup_kdc = true
  forwardable = true
  proxiable = true
  kdc_timesync = 1
  debug = false

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind
group:          files winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

#
# 04/09/2019
#
[global]
  workgroup = DOM
  realm = DOM.CORP
  netbios name = FS-A
  netbios aliases = OLDSAMBA
  security = ADS

  logging = file
  log level = 1 auth_audit:3 winbind:5
  log file = /var/log/samba/%m.log

  idmap config *:backend = tdb
  idmap config *:range = 700001-800000

  idmap config DOM:backend  = rid
  idmap config DOM:range  = 10000-700000

  vfs objects = acl_xattr full_audit
  map acl inherit = Yes
  store dos attributes = Yes

  winbind separator = +
  winbind use default domain = yes
  winbind offline logon = yes
  winbind cache time = 86400
  winbind enum groups = yes
  winbind enum users = yes
  winbind expand groups = 1
  winbind refresh tickets = yes

  template homedir = /home/%U
  template shell = /bin/bash

  getwd cache = yes

  usershare allow guests = yes
  usershare path =

  username map = /etc/samba/user.map

  full_audit:failure=none
  full_audit:success=mkdir rmdir read pread write pwrite rename unlink
  full_audit:prefix=IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
  full_audit:facility=local7
  full_audit:priority=notice

  load printers = no
  kerberos method = secrets and keytab
  dedicated keytab file = /etc/krb5.keytab

[homes]
  comment = %U Home Directory
  browseable = No
  writable = Yes
  valid users = %S
  create mask = 0644
  directory mask = 0700
  available = yes 
  path = /home/%S

[SHARES$]
  path = /share
  browseable = No
  writeable = yes
  nt acl support = yes
  valid users = @"dom+domain admins"

-----------

Running as Unix domain member and user.map detected.

Contents of /etc/samba/user.map

!root = DOM\Administrator

Server Role is set to :  auto

-----------

Installed packages:
ii  acl                            2.2.53-4                    amd64        access control list - utilities
ii  attr                           1:2.4.48-4                  amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                         all          Configuration files for Kerberos Version 5
ii  krb5-locales                   1.17-3                      all          internationalization support for MIT Kerberos
ii  krb5-user                      1.17-3                      amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.53-4                    amd64        access control list - shared library
ii  libattr1:amd64                 1:2.4.48-4                  amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64         1.17-3                      amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.17-3                      amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.17-3                      amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.10.10+dfsg-0.1~buster~1 amd64        Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.10.10+dfsg-0.1~buster~1 amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64             2:4.10.10+dfsg-0.1~buster~1 amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64             2:4.10.10+dfsg-0.1~buster~1 amd64        Samba winbind client library
ii  python3-samba                  2:4.10.10+dfsg-0.1~buster~1 amd64        Python 3 bindings for Samba
ii  samba                          2:4.10.10+dfsg-0.1~buster~1 amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.10.10+dfsg-0.1~buster~1 all          common files used by both the Samba server and client
ii  samba-common-bin               2:4.10.10+dfsg-0.1~buster~1 amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.10.10+dfsg-0.1~buster~1 amd64        Samba Directory Services Database
ii  samba-libs:amd64               2:4.10.10+dfsg-0.1~buster~1 amd64        Samba core libraries
ii  samba-vfs-modules:amd64        2:4.10.10+dfsg-0.1~buster~1 amd64        Samba Virtual FileSystem plugins
ii  smbclient                      2:4.10.10+dfsg-0.1~buster~1 amd64        command-line SMB/CIFS clients for Unix
ii  winbind                        2:4.10.10+dfsg-0.1~buster~1 amd64        service to resolve user and group information from Windows NT servers

-----------


More information about the samba mailing list