[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
Rowland penny
rpenny at samba.org
Tue Nov 5 15:02:25 UTC 2019
On 05/11/2019 14:42, L.P.H. van Belle via samba wrote:
> Ok,
>
> Your keytab looks ok now.
It might do, but it isn't the one being used ;-)
>
> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
> fs-a.dom.corp has address 10.0.0.2
>
> i would have expected here.
> oldsamba.dom.corp is an alias for fs-a.dom.corp.
> fs-a.dom.corp has address 10.0.0.2
>
> Or was that a typo? I assuming a typo..
>
> About your setup from the script outpout.
>
> Change this one.
> /etc/hosts
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct
> Or
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct
No, none of them are correct
>
> Here i personaly preffer :
> 10.0.0.2 fs-a.dom.corp fs-a
But that is.
>
>
> Why is this used : getwd cache = yes ?
> For my understanding, i think you can remove it, because this is should be handled differently in samba4.
Yes, it should be removed, but only because it is a default setting.
>
>
> @Rowland,
> This might help you understanding my responce on this one.
>
>> You are creating a keytab, which may or may not be called /etc/krb5.keytab2
> ^^^^^^^^ was only used to not accidently destroy his old keytab file.
> But since its replaced anyway now.
>
> Ps, keytab name is not significant.
> What is significantis, what is set for : default_keytab_name in krb5.conf
> Which ofcourse defaults to FILE:/etc/krb5.keytab
I was trying show that a keytab was being created but not used.
>
>
>>> Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> Then something reads the keytab in memory and cannot find the
>> required SPN, or to put it another way, whatever is trying to find the
>> SPN isn't reading the keytab you created above, it is reading the one in memory.
> Ok, this part above, yes, your right, its reading in memory, but to my believe,
> From: kerberos method = secrets and keytab, and as far i know "secrets" = MEMORY
Sorry but no, 'secrets' = secrets.tdb (unless this is something else
wrong in the smb.conf manpage)
> but ask youself, why is it using the "oldsamba" name if he is using oldsamba as aliasname.
> Thats the key here, so conclusion resolving problems/incorrectly setup.
>
> So there for im saying. ( typed this before i got the script output ).
> OLDSAMBA is still in /etc/hosts but before the newHostname
> Or it still has a dns A record.
> Or samba is also using the Netbios Alias names while creating keytab entries.
> ... And this, should in my opinion not happen, so lets wait what comes back.
> AND his keytab file is still incorrectly setup.
>
> And as i saw in the debug script output, i betting now on /etc/hosts that needs fixing.
This is quite possibly a DNS problem, my gut feeling is to leave the
domain, clean everything up and then rejoin, hopefully this will fix things.
Rowland
>
> Resume.
>
> Change : /etc/hosts
> # this line to :
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp
> #Or
> 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS.
>
> Reboot the server or "stop/start" samba ( dont restart ) !
>
> Verify the hostname-alias
> hosts oldhostname.dom.corp
> hosts oldhostname
>
> And try again.
>
>
> Greetz,
>
> Louis
>
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:bandabasotti at gmail.com]
> Verzonden: dinsdag 5 november 2019 14:49
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
>
>
> systemctl stop nmbd smbd winbind
> rm -f /etc/krb5.keyatb*
> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
> net ads keytab create cifs/$(hostname -f)
> klist -ke /etc/krb5.keytab | sort
>
> ---- --------------------------------------------------------------------------
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>
>
> systemctl start nmbd smbd winbind
>
> # host oldsamba
> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
> fs-a.dom.corp has address 10.0.0.2
>
>
> $ kinit testuser
> $ smbclient //oldsamba/testuser -k -c 'ls'
> Unable to initialize messaging context
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> [2019/11/05 14:32:18.863122, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> [2019/11/05 14:32:18.863192, 1] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>
>
> attached the samba-debug-info.txt
>
> Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
>
>
> Hai,
>
> Nope.. To much again ;-)
>
> This is one step to much:
> step2:
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP
>
> And why are you adding @REALM .. Do it exactly as shown below.
>
> Because a CNAME resolves to the REAL hostname it's A record, then Kerberos used the A of the real hostname and (might) verify the PTR also.
>
> So again and exactly as show, because your "Default realm" is used automaticly.
>
> kinit Administrator
> *(you see here: Password for Administrator at REALM: )
>
> stop samba and related services.
>
> rm /etc/krb5.keytab2
> rm /etc/krb5.keytab
>
> # i change the keytab to the needed name (/etc/krb5.keytab)
> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>
> net ads keytab create cifs/$(hostname -f)
>
> Verify the output.
> klist -ke /etc/krb5.keytab | sort
>
> If you see the ALIAS hostname "oldsamba" again in the keytab file.
> Then removed from smb.conf :
>
> netbios aliases = OLDSAMBA
>
> Verify the DNS and make sure your realhostname does have the A and PTR records set.
> And remove all A/PTR related records to OLDSAMBA.
> Add the CNAME for OLDSAMBA and point to the realhostname.
>
> Restart samba, repeat above.
>
> Still failing..
> Then get this script: https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> Run it, anonymize it and post the output.
>
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:bandabasotti at gmail.com]
> Verzonden: dinsdag 5 november 2019 13:18
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
>
>
> Luis, ok I'v removed everything, step 1:
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>
> klist -ke /etc/krb5.keytab2|grep 7|sort
>
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
>
> step2:
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP
>
>
> klist
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
> systemctl start nmbd smbd winbind
>
> test from windows machine:
>
> [2019/11/05 13:14:49.108879, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
>
> Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
>
>
> Ok, you did to much as far i can tell.
>
> You want to see this: i'll show my output, then i is better to see what i mean.
>
> this is where you start with.
> klist -ke |sort ( default member )
> ---- --------------------------------------------------------------------------
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
> 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
>
> In my case. my servers "real" name is hostname1 and i have an alias, lets say mycrazyserver
>
> /etc/hosts
> 127.0.0.1 localhost
> 192.168.0.1 hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld
> Host format:
> IP REAL_HOSTNAME_FQDN ALIAS ALIAS
>
> Note, adding mycrazyserver.internal.domain.tld should not be needed, because that is resolved through dns.
>
> ping mycrazyserver.internal.domain.tld will respond its reply with hostname1.internal.domain.tld hostname1
>
> If you add CIFS to you keytab you want to see :
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
> 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
> ( + whats above )
>
> Thats it..
>
> So you output should look like this.
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
> So try again. ;-)
>
> Greetz,
>
> Louis
>
>
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:bandabasotti at gmail.com]
> Verzonden: dinsdag 5 november 2019 12:06
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
>
>
> Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error:
>
>
> [2019/11/05 11:49:47.748159, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>
> gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
>
> please pay attention to (kvno 113) the problem is here and not the keytab file.
>
>
> klist -ke /etc/krb5.keyatb
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>
>
> to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil:
>
> # ktutil
> ktutil: rkt oldsamba.keytab
> ktutil: l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 112 cifs/oldsamba at DOM.CORP
> 2 112 cifs/oldsamba at DOM.CORP
> 3 112 cifs/oldsamba at DOM.CORP
> 4 113 cifs/oldsamba at DOM.CORP
> 5 113 cifs/oldsamba at DOM.CORP
> 6 113 cifs/oldsamba at DOM.CORP
>
>
> please note the kvno column.
>
>
> Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
>
>
> Hai,
>
> I've re-read you thread, and there are a few things going-on..
> I suggest you do the following..
>
> Change these.
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = DOM.CORP
> dns_lookup_kdc = true
> dns_lookup_realm = false
> forwardable = true
> proxiable = true
> kdc_timesync = 1
> debug = false
>
>
> /etc/samba/smb.conf
> [Global]
> workgroup = WG1
> realm = DOM.CORP
> # Netbios names in CAPS, see..
> # https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
> # https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
> # Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names,
> # point CNAME to the A record if which the PTR also exists..
> netbios name = FS-A
> netbios aliases = OLDSAMBA
> security = ADS
> #
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
>
> ON THIS MEMBER... ( you dont run : samba-tool spn list ..... )
> You run : net ads keytab
>
> cp /etc/krb5.keytab{,.backup}
> kinit Administrator
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>
> Verify this keytab.
> klist -ke /etc/krb5.keytab2
>
> You want to see :
> host/NETBIOSNAME at DOM.CORP ( x5 )
> host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
> NETBIOSNAME$@DOM.CORP ( x5 )
>
> This you see these.. Then run this to add the cifs keytab.
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
>
> Verify the keytab file again.
> klist -ke /etc/krb5.keytab2
>
> If it all looks good.
>
> Stop all samba service
> rm /etc/krb5.keytab .. ( a backupfile is made if you followed above )
> mv /etc/krb5.keytab2 /etc/krb5.keytab
>
>
> That "should" do the trick..
>
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > banda bassotti via samba
> > Verzonden: dinsdag 5 november 2019 9:49
> > Aan: Rowland penny
> > CC: sambalist
> > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> > (kvno 109) in keytab
> >
> > hi, nothing to do, despite having set winbind not to change
> > the machine
> > password the behavior is the same. I do not know what to do.
> > other ideas?
> >
> > thnx.
> >
> > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti <
> > bandabasotti at gmail.com> ha scritto:
> >
> > > Hi, the problem seems to be related to this bug:
> > >
> > > https://bugzilla.samba.org/show_bug.cgi?id=6750
> > >
> > > I try therefore to set
> > >
> > > machine password timeout = 0
> > >
> > >
> > >
> > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba <
> > > samba at lists.samba.org> ha scritto:
> > >
> > >> On 29/10/2019 10:04, banda bassotti wrote:
> > >> > I had already done it:
> > >> >
> > >> > # samba-tool spn list newsamba\$
> > >> > newsamba$
> > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
> > >> > servicePrincipalName:
> > >> > HOST/NEWSAMBA
> > >> > HOST/newsamba.domain.corp
> > >> > cifs/oldsamba at DOMAIN.CORP
> > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP
> > >>
> > >> From your log fragment, it appears to be looking for
> > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
> > probably have to
> > >> remove the lowercase version SPN and replace it with the uppercase
> > >> version.
> > >>
> > >> Rowland
> > >>
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba
> > >>
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
>
>
>
>
>
>
>
>
>
More information about the samba
mailing list