[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab

banda bassotti bandabasotti at gmail.com
Tue Nov 5 15:56:05 UTC 2019


Luis, Rowland I'v found the problem, I feel like an idiot:

1) for making you lose all this time
2) because I have not checked before

the oldsamba machine account was still present on the domain controllers :(

sorry :(

Il giorno mar 5 nov 2019 alle ore 16:36 banda bassotti <
bandabasotti at gmail.com> ha scritto:

> Luis, my typos, I'v to mask the output sorry (compliance)
>
> # su - testuser
> $ smbclient --option='client min protocol=NT1' -U testuser
> //oldsamba/testuser -c 'ls'
> Unable to initialize messaging context
> Enter DOM\testuser's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> [2019/11/05 15:50:50.009481,  1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>   gss_accept_sec_context failed with [ Miscellaneous failure (see text):
> Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> [2019/11/05 15:50:50.009564,  1]
> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
>   gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT
> content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>
> the same test from windows machine fail with user credential request.
>
> $ host oldsamba
> oldsamba.dom.corp is an alias for fs-a.dom.corp.
> fs-a.dom.corp has address 10.0.0.2
>
> $ head /etc/hosts
> 127.0.0.1 localhost
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba
>
> I accepted your suggestions and modified smb.conf accordingly, thanks.
>
> Il giorno mar 5 nov 2019 alle ore 15:43 L.P.H. van Belle via samba <
> samba at lists.samba.org> ha scritto:
>
>> Ok,
>>
>> Your keytab looks ok now.
>>
>> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
>> fs-a.dom.corp has address 10.0.0.2
>>
>> i would have expected here.
>> oldsamba.dom.corp is an alias for fs-a.dom.corp.
>> fs-a.dom.corp has address 10.0.0.2
>>
>> Or was that a typo? I assuming a typo..
>>
>> About your setup from the script outpout.
>>
>> Change this one.
>> /etc/hosts
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba  # Old/wrong
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba  # new/correct
>> Or
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp  # new/correct
>>
>> Here i personaly preffer :
>> 10.0.0.2 fs-a.dom.corp fs-a
>>
>> And add the cname to the DNS.
>>
>> Why..  IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry)
>>
>> ALIAS, if you use a "single lable" alias-name, as in, only the
>> hostname-alias without the domain part.
>> Then that hostname can/should only be use on the server, because, its
>> missing the domain part.
>>
>> I do the same here, this is how i use it.  ( from a 4.11.2 member to a ..
>> yes 3.6.x server, i still have one running.. :-/
>> smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls'
>> -k wont work here, dont ask why, that i dont know.
>>
>> To a 4.8+ member i use :   smbclient //somealias/sharename  -c 'ls'
>>
>> /etc/samba/smb.conf
>> You can remove, these after testing, or set to no and use getent
>> passwd/group username/groupname if you want to see the groups.
>>   winbind enum groups = yes
>>   winbind enum users = yes
>>
>> Why is this used : getwd cache = yes ?
>> For my understanding, i think you can remove it, because this is should
>> be handled differently in samba4.
>>
>> Your allowing :  usershare allow guests = yes
>> but you disable the share location : usershare path =
>> or use it or disabled it, now its?? you tell me.. ;-) .
>>
>> but beside above points your setup looks pretty good.
>>
>> @Rowland,
>> This might help you understanding my responce on this one.
>>
>> > You are creating a keytab, which may or may not be called
>> /etc/krb5.keytab2
>>
>> ^^^^^^^^ was only used to not accidently destroy his old keytab file.
>> But since its replaced anyway now.
>>
>> Ps, keytab name is not significant.
>> What is significantis, what is set for : default_keytab_name in krb5.conf
>> Which ofcourse defaults to FILE:/etc/krb5.keytab
>>
>>
>> > > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
>> > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> >
>> > Then something reads the keytab in memory and cannot find the
>> > required SPN, or to put it another way, whatever is trying to find the
>> > SPN isn't  reading the keytab you created above, it is reading the one
>> in memory.
>>
>> Ok, this part above, yes, your right, its reading in memory, but to my
>> believe,
>> From:  kerberos method = secrets and keytab,  and as far i know "secrets"
>> = MEMORY
>> but ask youself, why is it using the "oldsamba" name if he is using
>> oldsamba as aliasname.
>> Thats the key here, so conclusion resolving problems/incorrectly setup.
>>
>> So there for im saying. ( typed this before i got the script output ).
>> OLDSAMBA is still in /etc/hosts but before the newHostname
>> Or it still has a dns A record.
>> Or samba is also using the Netbios Alias names while creating keytab
>> entries.
>>    ... And this, should in my opinion not happen, so lets wait what comes
>> back.
>> AND his keytab file is still incorrectly setup.
>>
>> And as i saw in the debug script output, i betting now on /etc/hosts that
>> needs fixing.
>>
>> Resume.
>>
>> Change : /etc/hosts
>> # this line to :
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp
>> #Or
>> 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS.
>>
>> Reboot the server or "stop/start" samba ( dont restart ) !
>>
>> Verify the hostname-alias
>> hosts oldhostname.dom.corp
>> hosts oldhostname
>>
>> And try again.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>> ________________________________
>>
>>         Van: banda bassotti [mailto:bandabasotti at gmail.com]
>>         Verzonden: dinsdag 5 november 2019 14:49
>>         Aan: L.P.H. van Belle
>>         CC: samba at lists.samba.org
>>         Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
>> (kvno 109) in keytab
>>
>>
>>         systemctl stop nmbd smbd winbind
>>         rm -f /etc/krb5.keyatb*
>>         KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>>         net ads keytab create cifs/$(hostname -f)
>>         klist -ke /etc/krb5.keytab | sort
>>
>>         ----
>> --------------------------------------------------------------------------
>>            7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>>            7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>>            7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>>            7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>>            7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>>            7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>>            7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>>            7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>            7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>>            7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>>            7 FS-A$@DOM.CORP (arcfour-hmac)
>>            7 FS-A$@DOM.CORP (des-cbc-crc)
>>            7 FS-A$@DOM.CORP (des-cbc-md5)
>>            7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>>            7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>>            7 host/FS-A at DOM.CORP (arcfour-hmac)
>>            7 host/FS-A at DOM.CORP (des-cbc-crc)
>>            7 host/FS-A at DOM.CORP (des-cbc-md5)
>>            7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>>            7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>>            7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>         Keytab name: FILE:/etc/krb5.keytab
>>         KVNO Principal
>>
>>
>>         systemctl start nmbd smbd winbind
>>
>>         # host oldsamba
>>         oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
>>         fs-a.dom.corp has address 10.0.0.2
>>
>>
>>         $ kinit testuser
>>         $ smbclient //oldsamba/testuser -k -c 'ls'
>>         Unable to initialize messaging context
>>         session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>
>>         [2019/11/05 14:32:18.863122,  1]
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>           gss_accept_sec_context failed with [ Miscellaneous failure (see
>> text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>         [2019/11/05 14:32:18.863192,  1]
>> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
>>           gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
>> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>>
>>
>>         attached the samba-debug-info.txt
>>
>>         Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <
>> belle at bazuin.nl> ha scritto:
>>
>>
>>                 Hai,
>>
>>                 Nope.. To much again ;-)
>>
>>                 This is one step to much:
>>                 step2:
>>                 # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>> cifs/oldsamba.dom.corp at DOM.CORP
>>                 # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>> cifs/oldsamba at DOM.CORP
>>                 # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>> cifs/oldsamba$@DOM.CORP
>>
>>                 And why are you adding @REALM .. Do it exactly as shown
>> below.
>>
>>                 Because a CNAME resolves to the REAL hostname it's A
>> record, then Kerberos used the A of the real hostname and (might) verify
>> the PTR also.
>>
>>                 So again and exactly as show, because your "Default
>> realm" is used automaticly.
>>
>>                 kinit Administrator
>>                 *(you see here:  Password for Administrator at REALM: )
>>
>>                 stop samba and related services.
>>
>>                 rm /etc/krb5.keytab2
>>                 rm /etc/krb5.keytab
>>
>>                 # i change the keytab to the needed name
>> (/etc/krb5.keytab)
>>                 KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>>
>>                 net ads keytab create cifs/$(hostname -f)
>>
>>                 Verify the output.
>>                 klist -ke /etc/krb5.keytab | sort
>>
>>                 If you see the ALIAS hostname "oldsamba" again in the
>> keytab file.
>>                 Then removed from smb.conf :
>>
>>                 netbios aliases = OLDSAMBA
>>
>>                 Verify the DNS and make sure your realhostname does have
>> the A and PTR records set.
>>                 And remove all A/PTR related records to OLDSAMBA.
>>                 Add the CNAME for OLDSAMBA and point to the realhostname.
>>
>>                 Restart samba, repeat above.
>>
>>                 Still failing..
>>                 Then get this script:
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>>                 Run it, anonymize it and post the output.
>>
>>
>>                 Greetz,
>>
>>                 Louis
>>
>>
>>
>>                 ________________________________
>>
>>                         Van: banda bassotti [mailto:
>> bandabasotti at gmail.com]
>>                         Verzonden: dinsdag 5 november 2019 13:18
>>                         Aan: L.P.H. van Belle
>>                         CC: samba at lists.samba.org
>>                         Onderwerp: Re: [Samba] Failed to find
>> cifs/fs-share at dom.corp (kvno 109) in keytab
>>
>>
>>                         Luis,  ok I'v removed everything, step 1:
>>
>>                         KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab
>> CREATE -P
>>
>>                         klist -ke /etc/krb5.keytab2|grep 7|sort
>>
>>
>>                            7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>>                            7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>>                            7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>>                            7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>>                            7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>                            7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>>                            7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>>                            7 FS-A$@DOM.CORP (arcfour-hmac)
>>                            7 FS-A$@DOM.CORP (des-cbc-crc)
>>                            7 FS-A$@DOM.CORP (des-cbc-md5)
>>                            7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>>                            7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>>                            7 host/FS-A at DOM.CORP (arcfour-hmac)
>>                            7 host/FS-A at DOM.CORP (des-cbc-crc)
>>                            7 host/FS-A at DOM.CORP (des-cbc-md5)
>>                            7 host/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                            7 host/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                            7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>                            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>                            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>
>>
>>
>>                         step2:
>>                         # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>> keytab ADD cifs/oldsamba.dom.corp at DOM.CORP
>>                         # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>> keytab ADD cifs/oldsamba at DOM.CORP
>>                         # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>> keytab ADD cifs/oldsamba$@DOM.CORP
>>
>>
>>                         klist
>>
>>                            7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>>                            7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>>                            7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>>                            7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>>                            7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>                            7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>                            7 cifs/oldsamba$@DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                            7 cifs/oldsamba$@DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                            7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
>>                            7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
>>                            7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
>>                            7 cifs/oldsamba at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                            7 cifs/oldsamba at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                            7 cifs/oldsamba at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                            7 cifs/oldsamba at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                            7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>>                            7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>>                            7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>>                            7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>>                            7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>>                            7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>>                            7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>>                            7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>>                            7 FS-A$@DOM.CORP (arcfour-hmac)
>>                            7 FS-A$@DOM.CORP (des-cbc-crc)
>>                            7 FS-A$@DOM.CORP (des-cbc-md5)
>>                            7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>>                            7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>>                            7 host/FS-A at DOM.CORP (arcfour-hmac)
>>                            7 host/FS-A at DOM.CORP (des-cbc-crc)
>>                            7 host/FS-A at DOM.CORP (des-cbc-md5)
>>                            7 host/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                            7 host/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                            7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>                            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>                            7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>
>>
>>                         systemctl start nmbd smbd winbind
>>
>>                         test from windows machine:
>>
>>                         [2019/11/05 13:14:49.108879,  1]
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>                           gss_accept_sec_context failed with [
>> Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno
>> 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>
>>
>>                         Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H.
>> van Belle <belle at bazuin.nl> ha scritto:
>>
>>
>>                                 Ok, you did to much as far i can tell.
>>
>>                                 You want to see this: i'll show my
>> output, then i is better to see what i mean.
>>
>>                                 this is where you start with.
>>                                 klist -ke |sort  ( default member )
>>                                 ----
>> --------------------------------------------------------------------------
>>                                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (aes128-cts-hmac-sha1-96)
>>                                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (aes256-cts-hmac-sha1-96)
>>                                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (arcfour-hmac)
>>                                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (des-cbc-crc)
>>                                    3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (des-cbc-md5)
>>                                    3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>> (aes128-cts-hmac-sha1-96)
>>                                    3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>> (aes256-cts-hmac-sha1-96)
>>                                    3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
>>                                    3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
>>                                    3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
>>                                    3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (aes128-cts-hmac-sha1-96)
>>                                    3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (aes256-cts-hmac-sha1-96)
>>                                    3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (arcfour-hmac)
>>                                    3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (des-cbc-crc)
>>                                    3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (des-cbc-md5)
>>
>>                                 In my case. my servers "real" name is
>> hostname1 and i have an alias, lets say mycrazyserver
>>
>>                                 /etc/hosts
>>                                 127.0.0.1     localhost
>>                                 192.168.0.1
>>  hostname1.internal.domain.tld hostname1  mycrazyserver.internal.domain.tld
>>                                 Host format:
>>                                 IP      REAL_HOSTNAME_FQDN ALIAS ALIAS
>>
>>                                 Note, adding
>> mycrazyserver.internal.domain.tld should not be needed, because that is
>> resolved through dns.
>>
>>                                 ping mycrazyserver.internal.domain.tld
>> will respond its reply with hostname1.internal.domain.tld hostname1
>>
>>                                 If you add CIFS to you keytab you want to
>> see :
>>                                    3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>> (aes128-cts-hmac-sha1-96)
>>                                    3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>> (aes256-cts-hmac-sha1-96)
>>                                    3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
>>                                    3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
>>                                    3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
>>                                 ( + whats above )
>>
>>                                 Thats it..
>>
>>                                 So you output should look like this.
>>
>>                                        7 cifs/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                        7 cifs/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                        7 cifs/FS-A at DOM.CORP
>> (arcfour-hmac)
>>                                        7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>>                                        7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>>                                        7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                        7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                        7 cifs/fs-a.dom.corp at DOM.CORP
>> (arcfour-hmac)
>>                                        7 cifs/fs-a.dom.corp at DOM.CORP
>> (des-cbc-crc)
>>                                        7 cifs/fs-a.dom.corp at DOM.CORP
>> (des-cbc-md5)
>>                                        7 FS-A$@DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                        7 FS-A$@DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                        7 FS-A$@DOM.CORP (arcfour-hmac)
>>                                        7 FS-A$@DOM.CORP (des-cbc-crc)
>>                                        7 FS-A$@DOM.CORP (des-cbc-md5)
>>                                        7 host/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                        7 host/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96) < double = wrong
>>                                        7 host/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                        7 host/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)   < double = wrong
>>                                        7 host/FS-A at DOM.CORP
>> (arcfour-hmac)
>>                                        7 host/FS-A at DOM.CORP
>> (arcfour-hmac)      < double = wrong
>>                                        7 host/FS-A at DOM.CORP (des-cbc-crc)
>>                                        7 host/FS-A at DOM.CORP
>> (des-cbc-crc)       < double = wrong
>>                                        7 host/FS-A at DOM.CORP (des-cbc-md5)
>>                                        7 host/FS-A at DOM.CORP
>> (des-cbc-md5)       < double = wrong
>>                                        7 host/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                        7 host/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                        7 host/fs-a.dom.corp at DOM.CORP
>> (arcfour-hmac)
>>                                        7 host/fs-a.dom.corp at DOM.CORP
>> (des-cbc-crc)
>>                                        7 host/fs-a.dom.corp at DOM.CORP
>> (des-cbc-md5)
>>
>>
>>                                 So try again. ;-)
>>
>>                                 Greetz,
>>
>>                                 Louis
>>
>>
>>
>>
>>
>>                                 ________________________________
>>
>>                                         Van: banda bassotti [mailto:
>> bandabasotti at gmail.com]
>>                                         Verzonden: dinsdag 5 november
>> 2019 12:06
>>                                         Aan: L.P.H. van Belle
>>                                         CC: samba at lists.samba.org
>>                                         Onderwerp: Re: [Samba] Failed to
>> find cifs/fs-share at dom.corp (kvno 109) in keytab
>>
>>
>>                                         Luis, thank you very much, I
>> followed the procedure step by step (which I had already done) but
>> unfortunately I always have the same error:
>>
>>
>>                                         [2019/11/05 11:49:47.748159,  1]
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>
>>                                           gss_accept_sec_context failed
>> with [ Miscellaneous failure (see text): Failed to find
>> cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab
>> (arcfour-hmac-md5)]
>>
>>
>>                                         please pay attention to (kvno
>> 113) the problem is here and not the keytab file.
>>
>>
>>                                         klist -ke /etc/krb5.keyatb
>>                                         Keytab name: FILE:/etc/krb5.keytab
>>                                         KVNO Principal
>>                                         ----
>> --------------------------------------------------------------------------
>>                                            7 host/fs-a.dom.corp at DOM.CORP
>> (des-cbc-crc)
>>                                            7 host/FS-A at DOM.CORP
>> (des-cbc-crc)
>>                                            7 host/fs-a.dom.corp at DOM.CORP
>> (des-cbc-md5)
>>                                            7 host/FS-A at DOM.CORP
>> (des-cbc-md5)
>>                                            7 host/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                            7 host/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                            7 host/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                            7 host/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                            7 host/fs-a.dom.corp at DOM.CORP
>> (arcfour-hmac)
>>                                            7 host/FS-A at DOM.CORP
>> (arcfour-hmac)
>>                                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (des-cbc-crc)
>>                                            7 cifs/FS-A at DOM.CORP
>> (des-cbc-crc)
>>                                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (des-cbc-md5)
>>                                            7 cifs/FS-A at DOM.CORP
>> (des-cbc-md5)
>>                                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                            7 cifs/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                            7 cifs/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                            7 cifs/fs-a.dom.corp at DOM.CORP
>> (arcfour-hmac)
>>                                            7 cifs/FS-A at DOM.CORP
>> (arcfour-hmac)
>>                                            7 FS-A$@DOM.CORP (des-cbc-crc)
>>                                            7 FS-A$@DOM.CORP (des-cbc-md5)
>>                                            7 FS-A$@DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                            7 FS-A$@DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                            7 FS-A$@DOM.CORP (arcfour-hmac)
>>                                            7 host/FS-A at DOM.CORP
>> (des-cbc-crc)
>>                                            7 host/FS-A at DOM.CORP
>> (des-cbc-md5)
>>                                            7 host/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                            7 host/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                            7 host/FS-A at DOM.CORP
>> (arcfour-hmac)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (des-cbc-crc)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (des-cbc-md5)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (arcfour-hmac)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (des-cbc-crc)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (des-cbc-md5)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>>                                            7 cifs/oldsamba at DOM.CORP
>> (arcfour-hmac)
>>
>>
>>                                         to temporary solve this problem I
>> must extract the keytab of the oldsamba from the domain controller and
>> import with ktutil:
>>
>>                                         # ktutil
>>                                         ktutil:  rkt oldsamba.keytab
>>                                         ktutil:  l
>>                                         slot KVNO Principal
>>                                         ---- ----
>> ---------------------------------------------------------------------
>>                                            1  112
>>  cifs/oldsamba at DOM.CORP
>>                                            2  112
>>  cifs/oldsamba at DOM.CORP
>>                                            3  112
>>  cifs/oldsamba at DOM.CORP
>>                                            4  113
>>  cifs/oldsamba at DOM.CORP
>>                                            5  113
>>  cifs/oldsamba at DOM.CORP
>>                                            6  113
>>  cifs/oldsamba at DOM.CORP
>>
>>
>>                                         please note the kvno column.
>>
>>
>>                                         Il giorno mar 5 nov 2019 alle ore
>> 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
>>
>>
>>                                                 Hai,
>>
>>                                                 I've re-read you thread,
>> and there are a few things going-on..
>>                                                 I suggest you do the
>> following..
>>
>>                                                 Change these.
>>
>>                                                 /etc/krb5.conf
>>                                                 [libdefaults]
>>                                                   default_realm = DOM.CORP
>>                                                   dns_lookup_kdc = true
>>                                                   dns_lookup_realm = false
>>                                                   forwardable = true
>>                                                   proxiable = true
>>                                                   kdc_timesync = 1
>>                                                   debug = false
>>
>>
>>                                                 /etc/samba/smb.conf
>>                                                 [Global]
>>                                                    workgroup = WG1
>>                                                    realm = DOM.CORP
>>                                                    # Netbios names in
>> CAPS, see..
>>                                                    #
>> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
>>                                                    #
>> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
>>                                                    # Verify in DNS the
>> following, A - PTR records for netbios name, setup CNAME for all
>> alias-names,
>>                                                    # point CNAME to the A
>> record if which the PTR also exists..
>>                                                    netbios name = FS-A
>>                                                    netbios aliases =
>> OLDSAMBA
>>                                                    security = ADS
>>                                                    #
>>                                                    kerberos method =
>> secrets and keytab
>>                                                    dedicated keytab file
>> = /etc/krb5.keytab
>>                                                    # renew the kerberos
>> ticket
>>                                                    winbind refresh
>> tickets = yes
>>
>>
>>                                                 ON THIS MEMBER... ( you
>> dont run : samba-tool spn list ..... )
>>                                                 You run : net ads keytab
>>
>>                                                 cp
>> /etc/krb5.keytab{,.backup}
>>                                                 kinit Administrator
>>
>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>>
>>                                                 Verify this keytab.
>>                                                 klist -ke
>> /etc/krb5.keytab2
>>
>>                                                 You want to see :
>>                                                 host/NETBIOSNAME at DOM.CORP
>> ( x5 )
>>
>> host/fqdn.hostname.dom.tld at DOM.CORP  ( x5 )
>>                                                 NETBIOSNAME$@DOM.CORP  (
>> x5 )
>>
>>                                                 This you see these..
>> Then run this to add the cifs keytab.
>>
>>
>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>> cifs/fs-a.yourdns.domain.tld
>>
>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
>>
>>                                                 Verify the keytab file
>> again.
>>                                                 klist -ke
>> /etc/krb5.keytab2
>>
>>                                                 If it all looks good.
>>
>>                                                 Stop all samba service
>>                                                 rm /etc/krb5.keytab  .. (
>> a backupfile is made if you followed above )
>>                                                 mv /etc/krb5.keytab2
>> /etc/krb5.keytab
>>
>>
>>                                                 That "should" do the
>> trick..
>>
>>
>>
>>                                                 Greetz,
>>
>>                                                 Louis
>>
>>
>>
>>
>>                                                 > -----Oorspronkelijk
>> bericht-----
>>                                                 > Van: samba [mailto:
>> samba-bounces at lists.samba.org] Namens
>>                                                 > banda bassotti via samba
>>                                                 > Verzonden: dinsdag 5
>> november 2019 9:49
>>                                                 > Aan: Rowland penny
>>                                                 > CC: sambalist
>>                                                 > Onderwerp: Re: [Samba]
>> Failed to find cifs/fs-share at dom.corp
>>                                                 > (kvno 109) in keytab
>>                                                 >
>>                                                 > hi, nothing to do,
>> despite having set winbind not to change
>>                                                 > the machine
>>                                                 > password the behavior
>> is the same. I do not know what to do.
>>                                                 > other ideas?
>>                                                 >
>>                                                 > thnx.
>>                                                 >
>>                                                 > Il giorno mar 29 ott
>> 2019 alle ore 11:37 banda bassotti <
>>                                                 > bandabasotti at gmail.com>
>> ha scritto:
>>                                                 >
>>                                                 > > Hi, the problem seems
>> to be related to this bug:
>>                                                 > >
>>                                                 > >
>> https://bugzilla.samba.org/show_bug.cgi?id=6750
>>                                                 > >
>>                                                 > > I try therefore to set
>>                                                 > >
>>                                                 > >   machine password
>> timeout = 0
>>                                                 > >
>>                                                 > >
>>                                                 > >
>>                                                 > > Il giorno mar 29 ott
>> 2019 alle ore 11:11 Rowland penny via samba <
>>                                                 > > samba at lists.samba.org>
>> ha scritto:
>>                                                 > >
>>                                                 > >> On 29/10/2019 10:04,
>> banda bassotti wrote:
>>                                                 > >> > I had already done
>> it:
>>                                                 > >> >
>>                                                 > >> > # samba-tool spn
>> list newsamba\$
>>                                                 > >> > newsamba$
>>                                                 > >> > User
>> CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
>>                                                 > >> >
>> servicePrincipalName:
>>                                                 > >> >
>> HOST/NEWSAMBA
>>                                                 > >> >
>> HOST/newsamba.domain.corp
>>                                                 > >> >
>> cifs/oldsamba at DOMAIN.CORP
>>                                                 > >> >
>> cifs/oldsamba.domain.corp at DOMAIN.CORP
>>                                                 > >>
>>                                                 > >>  From your log
>> fragment, it appears to be looking for
>>                                                 > >>
>> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
>>                                                 > probably have to
>>                                                 > >> remove the lowercase
>> version SPN and replace it with the uppercase
>>                                                 > >> version.
>>                                                 > >>
>>                                                 > >> Rowland
>>                                                 > >>
>>                                                 > >>
>>                                                 > >>
>>                                                 > >> --
>>                                                 > >> To unsubscribe from
>> this list go to the following URL and read the
>>                                                 > >> instructions:
>> https://lists.samba.org/mailman/options/samba
>>                                                 > >>
>>                                                 > >
>>                                                 > --
>>                                                 > To unsubscribe from
>> this list go to the following URL and read the
>>                                                 > instructions:
>> https://lists.samba.org/mailman/options/samba
>>                                                 >
>>                                                 >
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


More information about the samba mailing list