[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 5 14:42:55 UTC 2019
Ok,
Your keytab looks ok now.
oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
fs-a.dom.corp has address 10.0.0.2
i would have expected here.
oldsamba.dom.corp is an alias for fs-a.dom.corp.
fs-a.dom.corp has address 10.0.0.2
Or was that a typo? I assuming a typo..
About your setup from the script outpout.
Change this one.
/etc/hosts
10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong
10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct
Or
10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct
Here i personaly preffer :
10.0.0.2 fs-a.dom.corp fs-a
And add the cname to the DNS.
Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry)
ALIAS, if you use a "single lable" alias-name, as in, only the hostname-alias without the domain part.
Then that hostname can/should only be use on the server, because, its missing the domain part.
I do the same here, this is how i use it. ( from a 4.11.2 member to a .. yes 3.6.x server, i still have one running.. :-/
smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls'
-k wont work here, dont ask why, that i dont know.
To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls'
/etc/samba/smb.conf
You can remove, these after testing, or set to no and use getent passwd/group username/groupname if you want to see the groups.
winbind enum groups = yes
winbind enum users = yes
Why is this used : getwd cache = yes ?
For my understanding, i think you can remove it, because this is should be handled differently in samba4.
Your allowing : usershare allow guests = yes
but you disable the share location : usershare path =
or use it or disabled it, now its?? you tell me.. ;-) .
but beside above points your setup looks pretty good.
@Rowland,
This might help you understanding my responce on this one.
> You are creating a keytab, which may or may not be called /etc/krb5.keytab2
^^^^^^^^ was only used to not accidently destroy his old keytab file.
But since its replaced anyway now.
Ps, keytab name is not significant.
What is significantis, what is set for : default_keytab_name in krb5.conf
Which ofcourse defaults to FILE:/etc/krb5.keytab
> > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
> > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
> Then something reads the keytab in memory and cannot find the
> required SPN, or to put it another way, whatever is trying to find the
> SPN isn't reading the keytab you created above, it is reading the one in memory.
Ok, this part above, yes, your right, its reading in memory, but to my believe,
From: kerberos method = secrets and keytab, and as far i know "secrets" = MEMORY
but ask youself, why is it using the "oldsamba" name if he is using oldsamba as aliasname.
Thats the key here, so conclusion resolving problems/incorrectly setup.
So there for im saying. ( typed this before i got the script output ).
OLDSAMBA is still in /etc/hosts but before the newHostname
Or it still has a dns A record.
Or samba is also using the Netbios Alias names while creating keytab entries.
... And this, should in my opinion not happen, so lets wait what comes back.
AND his keytab file is still incorrectly setup.
And as i saw in the debug script output, i betting now on /etc/hosts that needs fixing.
Resume.
Change : /etc/hosts
# this line to :
10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp
#Or
10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS.
Reboot the server or "stop/start" samba ( dont restart ) !
Verify the hostname-alias
hosts oldhostname.dom.corp
hosts oldhostname
And try again.
Greetz,
Louis
________________________________
Van: banda bassotti [mailto:bandabasotti at gmail.com]
Verzonden: dinsdag 5 november 2019 14:49
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
systemctl stop nmbd smbd winbind
rm -f /etc/krb5.keyatb*
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
net ads keytab create cifs/$(hostname -f)
klist -ke /etc/krb5.keytab | sort
---- --------------------------------------------------------------------------
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
systemctl start nmbd smbd winbind
# host oldsamba
oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
fs-a.dom.corp has address 10.0.0.2
$ kinit testuser
$ smbclient //oldsamba/testuser -k -c 'ls'
Unable to initialize messaging context
session setup failed: NT_STATUS_LOGON_FAILURE
[2019/11/05 14:32:18.863122, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
[2019/11/05 14:32:18.863192, 1] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
attached the samba-debug-info.txt
Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
Hai,
Nope.. To much again ;-)
This is one step to much:
step2:
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP
And why are you adding @REALM .. Do it exactly as shown below.
Because a CNAME resolves to the REAL hostname it's A record, then Kerberos used the A of the real hostname and (might) verify the PTR also.
So again and exactly as show, because your "Default realm" is used automaticly.
kinit Administrator
*(you see here: Password for Administrator at REALM: )
stop samba and related services.
rm /etc/krb5.keytab2
rm /etc/krb5.keytab
# i change the keytab to the needed name (/etc/krb5.keytab)
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
net ads keytab create cifs/$(hostname -f)
Verify the output.
klist -ke /etc/krb5.keytab | sort
If you see the ALIAS hostname "oldsamba" again in the keytab file.
Then removed from smb.conf :
netbios aliases = OLDSAMBA
Verify the DNS and make sure your realhostname does have the A and PTR records set.
And remove all A/PTR related records to OLDSAMBA.
Add the CNAME for OLDSAMBA and point to the realhostname.
Restart samba, repeat above.
Still failing..
Then get this script: https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Run it, anonymize it and post the output.
Greetz,
Louis
________________________________
Van: banda bassotti [mailto:bandabasotti at gmail.com]
Verzonden: dinsdag 5 november 2019 13:18
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
Luis, ok I'v removed everything, step 1:
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
klist -ke /etc/krb5.keytab2|grep 7|sort
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
step2:
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP
klist
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
systemctl start nmbd smbd winbind
test from windows machine:
[2019/11/05 13:14:49.108879, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
Ok, you did to much as far i can tell.
You want to see this: i'll show my output, then i is better to see what i mean.
this is where you start with.
klist -ke |sort ( default member )
---- --------------------------------------------------------------------------
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
In my case. my servers "real" name is hostname1 and i have an alias, lets say mycrazyserver
/etc/hosts
127.0.0.1 localhost
192.168.0.1 hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld
Host format:
IP REAL_HOSTNAME_FQDN ALIAS ALIAS
Note, adding mycrazyserver.internal.domain.tld should not be needed, because that is resolved through dns.
ping mycrazyserver.internal.domain.tld will respond its reply with hostname1.internal.domain.tld hostname1
If you add CIFS to you keytab you want to see :
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
( + whats above )
Thats it..
So you output should look like this.
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
So try again. ;-)
Greetz,
Louis
________________________________
Van: banda bassotti [mailto:bandabasotti at gmail.com]
Verzonden: dinsdag 5 november 2019 12:06
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error:
[2019/11/05 11:49:47.748159, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
please pay attention to (kvno 113) the problem is here and not the keytab file.
klist -ke /etc/krb5.keyatb
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil:
# ktutil
ktutil: rkt oldsamba.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 112 cifs/oldsamba at DOM.CORP
2 112 cifs/oldsamba at DOM.CORP
3 112 cifs/oldsamba at DOM.CORP
4 113 cifs/oldsamba at DOM.CORP
5 113 cifs/oldsamba at DOM.CORP
6 113 cifs/oldsamba at DOM.CORP
please note the kvno column.
Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
Hai,
I've re-read you thread, and there are a few things going-on..
I suggest you do the following..
Change these.
/etc/krb5.conf
[libdefaults]
default_realm = DOM.CORP
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
kdc_timesync = 1
debug = false
/etc/samba/smb.conf
[Global]
workgroup = WG1
realm = DOM.CORP
# Netbios names in CAPS, see..
# https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
# https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
# Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names,
# point CNAME to the A record if which the PTR also exists..
netbios name = FS-A
netbios aliases = OLDSAMBA
security = ADS
#
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
ON THIS MEMBER... ( you dont run : samba-tool spn list ..... )
You run : net ads keytab
cp /etc/krb5.keytab{,.backup}
kinit Administrator
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
Verify this keytab.
klist -ke /etc/krb5.keytab2
You want to see :
host/NETBIOSNAME at DOM.CORP ( x5 )
host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
NETBIOSNAME$@DOM.CORP ( x5 )
This you see these.. Then run this to add the cifs keytab.
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
Verify the keytab file again.
klist -ke /etc/krb5.keytab2
If it all looks good.
Stop all samba service
rm /etc/krb5.keytab .. ( a backupfile is made if you followed above )
mv /etc/krb5.keytab2 /etc/krb5.keytab
That "should" do the trick..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> banda bassotti via samba
> Verzonden: dinsdag 5 november 2019 9:49
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> (kvno 109) in keytab
>
> hi, nothing to do, despite having set winbind not to change
> the machine
> password the behavior is the same. I do not know what to do.
> other ideas?
>
> thnx.
>
> Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti <
> bandabasotti at gmail.com> ha scritto:
>
> > Hi, the problem seems to be related to this bug:
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=6750
> >
> > I try therefore to set
> >
> > machine password timeout = 0
> >
> >
> >
> > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba <
> > samba at lists.samba.org> ha scritto:
> >
> >> On 29/10/2019 10:04, banda bassotti wrote:
> >> > I had already done it:
> >> >
> >> > # samba-tool spn list newsamba\$
> >> > newsamba$
> >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
> >> > servicePrincipalName:
> >> > HOST/NEWSAMBA
> >> > HOST/newsamba.domain.corp
> >> > cifs/oldsamba at DOMAIN.CORP
> >> > cifs/oldsamba.domain.corp at DOMAIN.CORP
> >>
> >> From your log fragment, it appears to be looking for
> >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
> probably have to
> >> remove the lowercase version SPN and replace it with the uppercase
> >> version.
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list