[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
banda bassotti
bandabasotti at gmail.com
Tue Nov 5 15:36:14 UTC 2019
Luis, my typos, I'v to mask the output sorry (compliance)
# su - testuser
$ smbclient --option='client min protocol=NT1' -U testuser
//oldsamba/testuser -c 'ls'
Unable to initialize messaging context
Enter DOM\testuser's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[2019/11/05 15:50:50.009481, 1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
[2019/11/05 15:50:50.009564, 1]
../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT
content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
the same test from windows machine fail with user credential request.
$ host oldsamba
oldsamba.dom.corp is an alias for fs-a.dom.corp.
fs-a.dom.corp has address 10.0.0.2
$ head /etc/hosts
127.0.0.1 localhost
10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba
I accepted your suggestions and modified smb.conf accordingly, thanks.
Il giorno mar 5 nov 2019 alle ore 15:43 L.P.H. van Belle via samba <
samba at lists.samba.org> ha scritto:
> Ok,
>
> Your keytab looks ok now.
>
> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
> fs-a.dom.corp has address 10.0.0.2
>
> i would have expected here.
> oldsamba.dom.corp is an alias for fs-a.dom.corp.
> fs-a.dom.corp has address 10.0.0.2
>
> Or was that a typo? I assuming a typo..
>
> About your setup from the script outpout.
>
> Change this one.
> /etc/hosts
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct
> Or
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct
>
> Here i personaly preffer :
> 10.0.0.2 fs-a.dom.corp fs-a
>
> And add the cname to the DNS.
>
> Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry)
>
> ALIAS, if you use a "single lable" alias-name, as in, only the
> hostname-alias without the domain part.
> Then that hostname can/should only be use on the server, because, its
> missing the domain part.
>
> I do the same here, this is how i use it. ( from a 4.11.2 member to a ..
> yes 3.6.x server, i still have one running.. :-/
> smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls'
> -k wont work here, dont ask why, that i dont know.
>
> To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls'
>
> /etc/samba/smb.conf
> You can remove, these after testing, or set to no and use getent
> passwd/group username/groupname if you want to see the groups.
> winbind enum groups = yes
> winbind enum users = yes
>
> Why is this used : getwd cache = yes ?
> For my understanding, i think you can remove it, because this is should be
> handled differently in samba4.
>
> Your allowing : usershare allow guests = yes
> but you disable the share location : usershare path =
> or use it or disabled it, now its?? you tell me.. ;-) .
>
> but beside above points your setup looks pretty good.
>
> @Rowland,
> This might help you understanding my responce on this one.
>
> > You are creating a keytab, which may or may not be called
> /etc/krb5.keytab2
>
> ^^^^^^^^ was only used to not accidently destroy his old keytab file.
> But since its replaced anyway now.
>
> Ps, keytab name is not significant.
> What is significantis, what is set for : default_keytab_name in krb5.conf
> Which ofcourse defaults to FILE:/etc/krb5.keytab
>
>
> > > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
> > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >
> > Then something reads the keytab in memory and cannot find the
> > required SPN, or to put it another way, whatever is trying to find the
> > SPN isn't reading the keytab you created above, it is reading the one
> in memory.
>
> Ok, this part above, yes, your right, its reading in memory, but to my
> believe,
> From: kerberos method = secrets and keytab, and as far i know "secrets"
> = MEMORY
> but ask youself, why is it using the "oldsamba" name if he is using
> oldsamba as aliasname.
> Thats the key here, so conclusion resolving problems/incorrectly setup.
>
> So there for im saying. ( typed this before i got the script output ).
> OLDSAMBA is still in /etc/hosts but before the newHostname
> Or it still has a dns A record.
> Or samba is also using the Netbios Alias names while creating keytab
> entries.
> ... And this, should in my opinion not happen, so lets wait what comes
> back.
> AND his keytab file is still incorrectly setup.
>
> And as i saw in the debug script output, i betting now on /etc/hosts that
> needs fixing.
>
> Resume.
>
> Change : /etc/hosts
> # this line to :
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp
> #Or
> 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS.
>
> Reboot the server or "stop/start" samba ( dont restart ) !
>
> Verify the hostname-alias
> hosts oldhostname.dom.corp
> hosts oldhostname
>
> And try again.
>
>
> Greetz,
>
> Louis
>
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:bandabasotti at gmail.com]
> Verzonden: dinsdag 5 november 2019 14:49
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> (kvno 109) in keytab
>
>
> systemctl stop nmbd smbd winbind
> rm -f /etc/krb5.keyatb*
> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
> net ads keytab create cifs/$(hostname -f)
> klist -ke /etc/krb5.keytab | sort
>
> ----
> --------------------------------------------------------------------------
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>
>
> systemctl start nmbd smbd winbind
>
> # host oldsamba
> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
> fs-a.dom.corp has address 10.0.0.2
>
>
> $ kinit testuser
> $ smbclient //oldsamba/testuser -k -c 'ls'
> Unable to initialize messaging context
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> [2019/11/05 14:32:18.863122, 1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> [2019/11/05 14:32:18.863192, 1]
> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>
>
> attached the samba-debug-info.txt
>
> Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <
> belle at bazuin.nl> ha scritto:
>
>
> Hai,
>
> Nope.. To much again ;-)
>
> This is one step to much:
> step2:
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba.dom.corp at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/oldsamba$@DOM.CORP
>
> And why are you adding @REALM .. Do it exactly as shown
> below.
>
> Because a CNAME resolves to the REAL hostname it's A
> record, then Kerberos used the A of the real hostname and (might) verify
> the PTR also.
>
> So again and exactly as show, because your "Default realm"
> is used automaticly.
>
> kinit Administrator
> *(you see here: Password for Administrator at REALM: )
>
> stop samba and related services.
>
> rm /etc/krb5.keytab2
> rm /etc/krb5.keytab
>
> # i change the keytab to the needed name
> (/etc/krb5.keytab)
> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>
> net ads keytab create cifs/$(hostname -f)
>
> Verify the output.
> klist -ke /etc/krb5.keytab | sort
>
> If you see the ALIAS hostname "oldsamba" again in the
> keytab file.
> Then removed from smb.conf :
>
> netbios aliases = OLDSAMBA
>
> Verify the DNS and make sure your realhostname does have
> the A and PTR records set.
> And remove all A/PTR related records to OLDSAMBA.
> Add the CNAME for OLDSAMBA and point to the realhostname.
>
> Restart samba, repeat above.
>
> Still failing..
> Then get this script:
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> Run it, anonymize it and post the output.
>
>
> Greetz,
>
> Louis
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:bandabasotti at gmail.com]
>
> Verzonden: dinsdag 5 november 2019 13:18
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find
> cifs/fs-share at dom.corp (kvno 109) in keytab
>
>
> Luis, ok I'v removed everything, step 1:
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab
> CREATE -P
>
> klist -ke /etc/krb5.keytab2|grep 7|sort
>
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
>
> step2:
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab ADD cifs/oldsamba.dom.corp at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab ADD cifs/oldsamba at DOM.CORP
> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
> keytab ADD cifs/oldsamba$@DOM.CORP
>
>
> klist
>
> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba$@DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba$@DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>
>
> systemctl start nmbd smbd winbind
>
> test from windows machine:
>
> [2019/11/05 13:14:49.108879, 1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> gss_accept_sec_context failed with [
> Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno
> 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
>
> Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van
> Belle <belle at bazuin.nl> ha scritto:
>
>
> Ok, you did to much as far i can tell.
>
> You want to see this: i'll show my output,
> then i is better to see what i mean.
>
> this is where you start with.
> klist -ke |sort ( default member )
> ----
> --------------------------------------------------------------------------
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (arcfour-hmac)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (des-cbc-crc)
> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
> (des-cbc-md5)
> 3
> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3
> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3
> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
> 3
> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
> 3
> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD
> (arcfour-hmac)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD
> (des-cbc-crc)
> 3 HOSTNAME1$@REALM.DOMAIN.TLD
> (des-cbc-md5)
>
> In my case. my servers "real" name is
> hostname1 and i have an alias, lets say mycrazyserver
>
> /etc/hosts
> 127.0.0.1 localhost
> 192.168.0.1
> hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld
> Host format:
> IP REAL_HOSTNAME_FQDN ALIAS ALIAS
>
> Note, adding
> mycrazyserver.internal.domain.tld should not be needed, because that is
> resolved through dns.
>
> ping mycrazyserver.internal.domain.tld
> will respond its reply with hostname1.internal.domain.tld hostname1
>
> If you add CIFS to you keytab you want to
> see :
> 3
> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes128-cts-hmac-sha1-96)
> 3
> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
> (aes256-cts-hmac-sha1-96)
> 3
> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
> 3
> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
> 3
> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
> ( + whats above )
>
> Thats it..
>
> So you output should look like this.
>
> 7 cifs/FS-A at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (des-cbc-md5)
> 7 FS-A$@DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP
> (aes128-cts-hmac-sha1-96) < double = wrong
> 7 host/FS-A at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP
> (aes256-cts-hmac-sha1-96) < double = wrong
> 7 host/FS-A at DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP
> (arcfour-hmac) < double = wrong
> 7 host/FS-A at DOM.CORP (des-cbc-crc)
> 7 host/FS-A at DOM.CORP
> (des-cbc-crc) < double = wrong
> 7 host/FS-A at DOM.CORP (des-cbc-md5)
> 7 host/FS-A at DOM.CORP
> (des-cbc-md5) < double = wrong
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP
> (arcfour-hmac)
> 7 host/fs-a.dom.corp at DOM.CORP
> (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP
> (des-cbc-md5)
>
>
> So try again. ;-)
>
> Greetz,
>
> Louis
>
>
>
>
>
> ________________________________
>
> Van: banda bassotti [mailto:
> bandabasotti at gmail.com]
> Verzonden: dinsdag 5 november 2019
> 12:06
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to
> find cifs/fs-share at dom.corp (kvno 109) in keytab
>
>
> Luis, thank you very much, I
> followed the procedure step by step (which I had already done) but
> unfortunately I always have the same error:
>
>
> [2019/11/05 11:49:47.748159, 1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>
> gss_accept_sec_context failed
> with [ Miscellaneous failure (see text): Failed to find
> cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab
> (arcfour-hmac-md5)]
>
>
> please pay attention to (kvno 113)
> the problem is here and not the keytab file.
>
>
> klist -ke /etc/krb5.keyatb
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 7 host/fs-a.dom.corp at DOM.CORP
> (des-cbc-crc)
> 7 host/FS-A at DOM.CORP
> (des-cbc-crc)
> 7 host/fs-a.dom.corp at DOM.CORP
> (des-cbc-md5)
> 7 host/FS-A at DOM.CORP
> (des-cbc-md5)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/fs-a.dom.corp at DOM.CORP
> (arcfour-hmac)
> 7 host/FS-A at DOM.CORP
> (arcfour-hmac)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (des-cbc-crc)
> 7 cifs/FS-A at DOM.CORP
> (des-cbc-crc)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (des-cbc-md5)
> 7 cifs/FS-A at DOM.CORP
> (des-cbc-md5)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/FS-A at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/fs-a.dom.corp at DOM.CORP
> (arcfour-hmac)
> 7 cifs/FS-A at DOM.CORP
> (arcfour-hmac)
> 7 FS-A$@DOM.CORP (des-cbc-crc)
> 7 FS-A$@DOM.CORP (des-cbc-md5)
> 7 FS-A$@DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 FS-A$@DOM.CORP (arcfour-hmac)
> 7 host/FS-A at DOM.CORP
> (des-cbc-crc)
> 7 host/FS-A at DOM.CORP
> (des-cbc-md5)
> 7 host/FS-A at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 host/FS-A at DOM.CORP
> (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP
> (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP
> (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (arcfour-hmac)
> 7 cifs/oldsamba at DOM.CORP
> (des-cbc-crc)
> 7 cifs/oldsamba at DOM.CORP
> (des-cbc-md5)
> 7 cifs/oldsamba at DOM.CORP
> (aes128-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (aes256-cts-hmac-sha1-96)
> 7 cifs/oldsamba at DOM.CORP
> (arcfour-hmac)
>
>
> to temporary solve this problem I
> must extract the keytab of the oldsamba from the domain controller and
> import with ktutil:
>
> # ktutil
> ktutil: rkt oldsamba.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 112
> cifs/oldsamba at DOM.CORP
> 2 112
> cifs/oldsamba at DOM.CORP
> 3 112
> cifs/oldsamba at DOM.CORP
> 4 113
> cifs/oldsamba at DOM.CORP
> 5 113
> cifs/oldsamba at DOM.CORP
> 6 113
> cifs/oldsamba at DOM.CORP
>
>
> please note the kvno column.
>
>
> Il giorno mar 5 nov 2019 alle ore
> 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
>
>
> Hai,
>
> I've re-read you thread,
> and there are a few things going-on..
> I suggest you do the
> following..
>
> Change these.
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = DOM.CORP
> dns_lookup_kdc = true
> dns_lookup_realm = false
> forwardable = true
> proxiable = true
> kdc_timesync = 1
> debug = false
>
>
> /etc/samba/smb.conf
> [Global]
> workgroup = WG1
> realm = DOM.CORP
> # Netbios names in
> CAPS, see..
> #
> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
> #
> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
> # Verify in DNS the
> following, A - PTR records for netbios name, setup CNAME for all
> alias-names,
> # point CNAME to the A
> record if which the PTR also exists..
> netbios name = FS-A
> netbios aliases =
> OLDSAMBA
> security = ADS
> #
> kerberos method =
> secrets and keytab
> dedicated keytab file =
> /etc/krb5.keytab
> # renew the kerberos
> ticket
> winbind refresh tickets
> = yes
>
>
> ON THIS MEMBER... ( you
> dont run : samba-tool spn list ..... )
> You run : net ads keytab
>
> cp
> /etc/krb5.keytab{,.backup}
> kinit Administrator
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>
> Verify this keytab.
> klist -ke
> /etc/krb5.keytab2
>
> You want to see :
> host/NETBIOSNAME at DOM.CORP
> ( x5 )
>
> host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
> NETBIOSNAME$@DOM.CORP (
> x5 )
>
> This you see these.. Then
> run this to add the cifs keytab.
>
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/fs-a.yourdns.domain.tld
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
>
> Verify the keytab file
> again.
> klist -ke
> /etc/krb5.keytab2
>
> If it all looks good.
>
> Stop all samba service
> rm /etc/krb5.keytab .. (
> a backupfile is made if you followed above )
> mv /etc/krb5.keytab2
> /etc/krb5.keytab
>
>
> That "should" do the
> trick..
>
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk
> bericht-----
> > Van: samba [mailto:
> samba-bounces at lists.samba.org] Namens
> > banda bassotti via samba
> > Verzonden: dinsdag 5
> november 2019 9:49
> > Aan: Rowland penny
> > CC: sambalist
> > Onderwerp: Re: [Samba]
> Failed to find cifs/fs-share at dom.corp
> > (kvno 109) in keytab
> >
> > hi, nothing to do,
> despite having set winbind not to change
> > the machine
> > password the behavior is
> the same. I do not know what to do.
> > other ideas?
> >
> > thnx.
> >
> > Il giorno mar 29 ott
> 2019 alle ore 11:37 banda bassotti <
> > bandabasotti at gmail.com>
> ha scritto:
> >
> > > Hi, the problem seems
> to be related to this bug:
> > >
> > >
> https://bugzilla.samba.org/show_bug.cgi?id=6750
> > >
> > > I try therefore to set
> > >
> > > machine password
> timeout = 0
> > >
> > >
> > >
> > > Il giorno mar 29 ott
> 2019 alle ore 11:11 Rowland penny via samba <
> > > samba at lists.samba.org>
> ha scritto:
> > >
> > >> On 29/10/2019 10:04,
> banda bassotti wrote:
> > >> > I had already done
> it:
> > >> >
> > >> > # samba-tool spn
> list newsamba\$
> > >> > newsamba$
> > >> > User
> CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
> > >> >
> servicePrincipalName:
> > >> >
> HOST/NEWSAMBA
> > >> >
> HOST/newsamba.domain.corp
> > >> >
> cifs/oldsamba at DOMAIN.CORP
> > >> >
> cifs/oldsamba.domain.corp at DOMAIN.CORP
> > >>
> > >> From your log
> fragment, it appears to be looking for
> > >>
> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
> > probably have to
> > >> remove the lowercase
> version SPN and replace it with the uppercase
> > >> version.
> > >>
> > >> Rowland
> > >>
> > >>
> > >>
> > >> --
> > >> To unsubscribe from
> this list go to the following URL and read the
> > >> instructions:
> https://lists.samba.org/mailman/options/samba
> > >>
> > >
> > --
> > To unsubscribe from this
> list go to the following URL and read the
> > instructions:
> https://lists.samba.org/mailman/options/samba
> >
> >
>
>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list