[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
banda bassotti
bandabasotti at gmail.com
Tue Nov 5 13:49:24 UTC 2019
systemctl stop nmbd smbd winbind
rm -f /etc/krb5.keyatb*
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
net ads keytab create cifs/$(hostname -f)
klist -ke /etc/krb5.keytab | sort
----
--------------------------------------------------------------------------
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
systemctl start nmbd smbd winbind
# host oldsamba
oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
fs-a.dom.corp has address 10.0.0.2
$ kinit testuser
$ smbclient //oldsamba/testuser -k -c 'ls'
Unable to initialize messaging context
session setup failed: NT_STATUS_LOGON_FAILURE
[2019/11/05 14:32:18.863122, 1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
[2019/11/05 14:32:18.863192, 1]
../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT
content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
attached the samba-debug-info.txt
Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <belle at bazuin.nl>
ha scritto:
> Hai,
>
> Nope.. To much again ;-)
>
> This is one step to much:
> step2:
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba.dom.corp at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba$@DOM.CORP
>
> And why are you adding @REALM .. Do it exactly as shown below.
>
> Because a CNAME resolves to the REAL hostname it's A record, then Kerberos
> used the A of the real hostname and (might) verify the PTR also.
>
> So again and exactly as show, because your "Default realm" is used
> automaticly.
>
> kinit Administrator
> *(you see here: Password for Administrator at REALM: )
>
> stop samba and related services.
>
> rm /etc/krb5.keytab2
> rm /etc/krb5.keytab
>
> # i change the keytab to the needed name (/etc/krb5.keytab)
> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>
> net ads keytab create cifs/$(hostname -f)
>
> Verify the output.
> klist -ke /etc/krb5.keytab | sort
>
> If you see the ALIAS hostname "oldsamba" again in the keytab file.
> Then removed from smb.conf :
>
> netbios aliases = OLDSAMBA
>
> Verify the DNS and make sure your realhostname does have the A and PTR
> records set.
> And remove all A/PTR related records to OLDSAMBA.
> Add the CNAME for OLDSAMBA and point to the realhostname.
>
> Restart samba, repeat above.
>
> Still failing..
> Then get this script:
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> Run it, anonymize it and post the output.
>
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:bandabasotti at gmail.com]
> Verzonden: dinsdag 5 november 2019 13:18
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> (kvno 109) in keytab
>
>
> Luis, ok I'v removed everything, step 1:
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>
> klist -ke /etc/krb5.keytab2|grep 7|sort
>
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
>
> step2:
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba.dom.corp at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba$@DOM.CORP
>
>
> klist
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
> systemctl start nmbd smbd winbind
>
> test from windows machine:
>
> [2019/11/05 13:14:49.108879, 1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
>
> Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <
> belle at bazuin.nl> ha scritto:
>
>
> Ok, you did to much as far i can tell.
>
> You want to see this: i'll show my output, then i is
> better to see what i mean.
>
> this is where you start with.
> klist -ke |sort ( default member )
> ----
> --------------------------------------------------------------------------
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (arcfour-hmac)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (des-cbc-crc)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (des-cbc-md5)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
>
> In my case. my servers "real" name is hostname1 and i have
> an alias, lets say mycrazyserver
>
> /etc/hosts
> 127.0.0.1 localhost
> 192.168.0.1 hostname1.internal.domain.tld hostname1
> mycrazyserver.internal.domain.tld
> Host format:
> IP REAL_HOSTNAME_FQDN ALIAS ALIAS
>
> Note, adding mycrazyserver.internal.domain.tld should not
> be needed, because that is resolved through dns.
>
> ping mycrazyserver.internal.domain.tld will respond its
> reply with hostname1.internal.domain.tld hostname1
>
> If you add CIFS to you keytab you want to see :
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (arcfour-hmac)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (des-cbc-crc)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (des-cbc-md5)
> ( + whats above )
>
> Thats it..
>
> So you output should look like this.
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) <
> double = wrong
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) <
> double = wrong
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (arcfour-hmac) < double
> = wrong
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-crc) < double
> = wrong
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (des-cbc-md5) < double
> = wrong
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
> So try again. ;-)
>
> Greetz,
>
> Louis
>
>
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:bandabasotti at gmail.com]
>
> Verzonden: dinsdag 5 november 2019 12:06
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find
> cifs/fs-share at dom.corp (kvno 109) in keytab
>
>
> Luis, thank you very much, I followed the
> procedure step by step (which I had already done) but unfortunately I
> always have the same error:
>
>
> [2019/11/05 11:49:47.748159, 1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>
> gss_accept_sec_context failed with [
> Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno
> 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
>
> please pay attention to (kvno 113) the problem is
> here and not the keytab file.
>
>
> klist -ke /etc/krb5.keyatb
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>
>
> to temporary solve this problem I must extract the
> keytab of the oldsamba from the domain controller and import with ktutil:
>
> # ktutil
> ktutil: rkt oldsamba.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 112 cifs/oldsamba at DOM.CORP
> 2 112 cifs/oldsamba at DOM.CORP
> 3 112 cifs/oldsamba at DOM.CORP
> 4 113 cifs/oldsamba at DOM.CORP
> 5 113 cifs/oldsamba at DOM.CORP
> 6 113 cifs/oldsamba at DOM.CORP
>
>
> please note the kvno column.
>
>
> Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van
> Belle <belle at bazuin.nl> ha scritto:
>
>
> Hai,
>
> I've re-read you thread, and there are a
> few things going-on..
> I suggest you do the following..
>
> Change these.
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = DOM.CORP
> dns_lookup_kdc = true
> dns_lookup_realm = false
> forwardable = true
> proxiable = true
> kdc_timesync = 1
> debug = false
>
>
> /etc/samba/smb.conf
> [Global]
> workgroup = WG1
> realm = DOM.CORP
> # Netbios names in CAPS, see..
> #
> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
> #
> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
> # Verify in DNS the following, A - PTR
> records for netbios name, setup CNAME for all alias-names,
> # point CNAME to the A record if which
> the PTR also exists..
> netbios name = FS-A
> netbios aliases = OLDSAMBA
> security = ADS
> #
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
>
> ON THIS MEMBER... ( you dont run :
> samba-tool spn list ..... )
> You run : net ads keytab
>
> cp /etc/krb5.keytab{,.backup}
> kinit Administrator
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab CREATE -P
>
> Verify this keytab.
> klist -ke /etc/krb5.keytab2
>
> You want to see :
> host/NETBIOSNAME at DOM.CORP ( x5 )
> host/fqdn.hostname.dom.tld at DOM.CORP ( x5
> )
> NETBIOSNAME$@DOM.CORP ( x5 )
>
> This you see these.. Then run this to add
> the cifs keytab.
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab ADD cifs/fs-a.yourdns.domain.tld
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab ADD cifs/FS-A$
>
> Verify the keytab file again.
> klist -ke /etc/krb5.keytab2
>
> If it all looks good.
>
> Stop all samba service
> rm /etc/krb5.keytab .. ( a backupfile is
> made if you followed above )
> mv /etc/krb5.keytab2 /etc/krb5.keytab
>
>
> That "should" do the trick..
>
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:
> samba-bounces at lists.samba.org] Namens
> > banda bassotti via samba
> > Verzonden: dinsdag 5 november 2019 9:49
> > Aan: Rowland penny
> > CC: sambalist
> > Onderwerp: Re: [Samba] Failed to find
> cifs/fs-share at dom.corp
> > (kvno 109) in keytab
> >
> > hi, nothing to do, despite having set
> winbind not to change
> > the machine
> > password the behavior is the same. I do
> not know what to do.
> > other ideas?
> >
> > thnx.
> >
> > Il giorno mar 29 ott 2019 alle ore 11:37
> banda bassotti <
> > bandabasotti at gmail.com> ha scritto:
> >
> > > Hi, the problem seems to be related to
> this bug:
> > >
> > >
> https://bugzilla.samba.org/show_bug.cgi?id=6750
> > >
> > > I try therefore to set
> > >
> > > machine password timeout = 0
> > >
> > >
> > >
> > > Il giorno mar 29 ott 2019 alle ore
> 11:11 Rowland penny via samba <
> > > samba at lists.samba.org> ha scritto:
> > >
> > >> On 29/10/2019 10:04, banda bassotti
> wrote:
> > >> > I had already done it:
> > >> >
> > >> > # samba-tool spn list newsamba\$
> > >> > newsamba$
> > >> > User
> CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
> > >> > servicePrincipalName:
> > >> > HOST/NEWSAMBA
> > >> > HOST/newsamba.domain.corp
> > >> > cifs/oldsamba at DOMAIN.CORP
> > >> >
> cifs/oldsamba.domain.corp at DOMAIN.CORP
> > >>
> > >> From your log fragment, it appears
> to be looking for
> > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the
> case matters. You will
> > probably have to
> > >> remove the lowercase version SPN and
> replace it with the uppercase
> > >> version.
> > >>
> > >> Rowland
> > >>
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to
> the following URL and read the
> > >> instructions:
> https://lists.samba.org/mailman/options/samba
> > >>
> > >
> > --
> > To unsubscribe from this list go to the
> following URL and read the
> > instructions:
> https://lists.samba.org/mailman/options/samba
> >
> >
>
>
>
>
>
>
>
>
-------------- next part --------------
Collected config --- 2019-11-05-14:41 -----------
Hostname: fs-a
DNS Domain: dom.corp
FQDN: fs-a.dom.corp
ipaddress: 10.0.0.2
-----------
Kerberos SRV _kerberos._tcp.dom.corp record verified ok, sample output:
_kerberos._tcp.dom.corp has SRV record 0 100 88 ucsdc.dom.corp.
_kerberos._tcp.dom.corp has SRV record 0 100 88 ucs-gozzi-sl1.dom.corp.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.1 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b2:1b:04:2a:5f:7d brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 brd 10.10.21.255 scope global ens18
inet6 fe80::b01b:4ff:fe2a:5f7d/64 scope link
3: ens19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 5a:dc:b7:6c:14:3c brd ff:ff:ff:ff:ff:ff
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.0.0.2 fs-a.dom.corp fs-a oldsamba
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
search dom.corp
nameserver 10.10.21.25
nameserver 10.10.20.87
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = DOM.CORP
dns_lookup_realm = false
dns_lookup_kdc = true
forwardable = true
proxiable = true
kdc_timesync = 1
debug = false
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind
group: files winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
#
# 04/09/2019
#
[global]
workgroup = DOM
realm = DOM.CORP
netbios name = FS-A
netbios aliases = OLDSAMBA
security = ADS
logging = file
log level = 1 auth_audit:3 winbind:5
log file = /var/log/samba/%m.log
idmap config *:backend = tdb
idmap config *:range = 700001-800000
idmap config DOM:backend = rid
idmap config DOM:range = 10000-700000
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes
winbind separator = +
winbind use default domain = yes
winbind offline logon = yes
winbind cache time = 86400
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 1
winbind refresh tickets = yes
template homedir = /home/%U
template shell = /bin/bash
getwd cache = yes
usershare allow guests = yes
usershare path =
username map = /etc/samba/user.map
full_audit:failure=none
full_audit:success=mkdir rmdir read pread write pwrite rename unlink
full_audit:prefix=IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility=local7
full_audit:priority=notice
load printers = no
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
[homes]
comment = %U Home Directory
browseable = No
writable = Yes
valid users = %S
create mask = 0644
directory mask = 0700
available = yes
path = /home/%S
[SHARES$]
path = /share
browseable = No
writeable = yes
nt acl support = yes
valid users = @"dom+domain admins"
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/user.map
!root = DOM\Administrator
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control list - utilities
ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba winbind client library
ii python3-samba 2:4.10.10+dfsg-0.1~buster~1 amd64 Python 3 bindings for Samba
ii samba 2:4.10.10+dfsg-0.1~buster~1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.10.10+dfsg-0.1~buster~1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.10.10+dfsg-0.1~buster~1 amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.10.10+dfsg-0.1~buster~1 amd64 service to resolve user and group information from Windows NT servers
-----------
More information about the samba
mailing list