[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
banda bassotti
bandabasotti at gmail.com
Tue Nov 5 15:56:05 UTC 2019
Luis, Rowland I'v found the problem, I feel like an idiot:
1) for making you lose all this time
2) because I have not checked before
the oldsamba machine account was still present on the domain controllers :(
sorry :(
Il giorno mar 5 nov 2019 alle ore 16:36 banda bassotti <
bandabasotti at gmail.com> ha scritto:
> Luis, my typos, I'v to mask the output sorry (compliance)
>
> # su - testuser
> $ smbclient --option='client min protocol=NT1' -U testuser
> //oldsamba/testuser -c 'ls'
> Unable to initialize messaging context
> Enter DOM\testuser's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> [2019/11/05 15:50:50.009481, 1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see text):
> Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> [2019/11/05 15:50:50.009564, 1]
> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT
> content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>
> the same test from windows machine fail with user credential request.
>
> $ host oldsamba
> oldsamba.dom.corp is an alias for fs-a.dom.corp.
> fs-a.dom.corp has address 10.0.0.2
>
> $ head /etc/hosts
> 127.0.0.1 localhost
> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba
>
> I accepted your suggestions and modified smb.conf accordingly, thanks.
>
> Il giorno mar 5 nov 2019 alle ore 15:43 L.P.H. van Belle via samba <
> samba at lists.samba.org> ha scritto:
>
>> Ok,
>>
>> Your keytab looks ok now.
>>
>> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
>> fs-a.dom.corp has address 10.0.0.2
>>
>> i would have expected here.
>> oldsamba.dom.corp is an alias for fs-a.dom.corp.
>> fs-a.dom.corp has address 10.0.0.2
>>
>> Or was that a typo? I assuming a typo..
>>
>> About your setup from the script outpout.
>>
>> Change this one.
>> /etc/hosts
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct
>> Or
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct
>>
>> Here i personaly preffer :
>> 10.0.0.2 fs-a.dom.corp fs-a
>>
>> And add the cname to the DNS.
>>
>> Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry)
>>
>> ALIAS, if you use a "single lable" alias-name, as in, only the
>> hostname-alias without the domain part.
>> Then that hostname can/should only be use on the server, because, its
>> missing the domain part.
>>
>> I do the same here, this is how i use it. ( from a 4.11.2 member to a ..
>> yes 3.6.x server, i still have one running.. :-/
>> smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls'
>> -k wont work here, dont ask why, that i dont know.
>>
>> To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls'
>>
>> /etc/samba/smb.conf
>> You can remove, these after testing, or set to no and use getent
>> passwd/group username/groupname if you want to see the groups.
>> winbind enum groups = yes
>> winbind enum users = yes
>>
>> Why is this used : getwd cache = yes ?
>> For my understanding, i think you can remove it, because this is should
>> be handled differently in samba4.
>>
>> Your allowing : usershare allow guests = yes
>> but you disable the share location : usershare path =
>> or use it or disabled it, now its?? you tell me.. ;-) .
>>
>> but beside above points your setup looks pretty good.
>>
>> @Rowland,
>> This might help you understanding my responce on this one.
>>
>> > You are creating a keytab, which may or may not be called
>> /etc/krb5.keytab2
>>
>> ^^^^^^^^ was only used to not accidently destroy his old keytab file.
>> But since its replaced anyway now.
>>
>> Ps, keytab name is not significant.
>> What is significantis, what is set for : default_keytab_name in krb5.conf
>> Which ofcourse defaults to FILE:/etc/krb5.keytab
>>
>>
>> > > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
>> > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> >
>> > Then something reads the keytab in memory and cannot find the
>> > required SPN, or to put it another way, whatever is trying to find the
>> > SPN isn't reading the keytab you created above, it is reading the one
>> in memory.
>>
>> Ok, this part above, yes, your right, its reading in memory, but to my
>> believe,
>> From: kerberos method = secrets and keytab, and as far i know "secrets"
>> = MEMORY
>> but ask youself, why is it using the "oldsamba" name if he is using
>> oldsamba as aliasname.
>> Thats the key here, so conclusion resolving problems/incorrectly setup.
>>
>> So there for im saying. ( typed this before i got the script output ).
>> OLDSAMBA is still in /etc/hosts but before the newHostname
>> Or it still has a dns A record.
>> Or samba is also using the Netbios Alias names while creating keytab
>> entries.
>> ... And this, should in my opinion not happen, so lets wait what comes
>> back.
>> AND his keytab file is still incorrectly setup.
>>
>> And as i saw in the debug script output, i betting now on /etc/hosts that
>> needs fixing.
>>
>> Resume.
>>
>> Change : /etc/hosts
>> # this line to :
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp
>> #Or
>> 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS.
>>
>> Reboot the server or "stop/start" samba ( dont restart ) !
>>
>> Verify the hostname-alias
>> hosts oldhostname.dom.corp
>> hosts oldhostname
>>
>> And try again.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>> ________________________________
>>
>> Van: banda bassotti [mailto:bandabasotti at gmail.com]
>> Verzonden: dinsdag 5 november 2019 14:49
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
>> (kvno 109) in keytab
>>
>>
>> systemctl stop nmbd smbd winbind
>> rm -f /etc/krb5.keyatb*
>> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>> net ads keytab create cifs/$(hostname -f)
>> klist -ke /etc/krb5.keytab | sort
>>
>> ----
>> --------------------------------------------------------------------------
>> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP (arcfour-hmac)
>> 7 host/FS-A at DOM.CORP (des-cbc-crc)
>> 7 host/FS-A at DOM.CORP (des-cbc-md5)
>> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>>
>>
>> systemctl start nmbd smbd winbind
>>
>> # host oldsamba
>> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
>> fs-a.dom.corp has address 10.0.0.2
>>
>>
>> $ kinit testuser
>> $ smbclient //oldsamba/testuser -k -c 'ls'
>> Unable to initialize messaging context
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>
>> [2019/11/05 14:32:18.863122, 1]
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>> gss_accept_sec_context failed with [ Miscellaneous failure (see
>> text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> [2019/11/05 14:32:18.863192, 1]
>> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
>> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
>> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>>
>>
>> attached the samba-debug-info.txt
>>
>> Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <
>> belle at bazuin.nl> ha scritto:
>>
>>
>> Hai,
>>
>> Nope.. To much again ;-)
>>
>> This is one step to much:
>> step2:
>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>> cifs/oldsamba.dom.corp at DOM.CORP
>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>> cifs/oldsamba at DOM.CORP
>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>> cifs/oldsamba$@DOM.CORP
>>
>> And why are you adding @REALM .. Do it exactly as shown
>> below.
>>
>> Because a CNAME resolves to the REAL hostname it's A
>> record, then Kerberos used the A of the real hostname and (might) verify
>> the PTR also.
>>
>> So again and exactly as show, because your "Default
>> realm" is used automaticly.
>>
>> kinit Administrator
>> *(you see here: Password for Administrator at REALM: )
>>
>> stop samba and related services.
>>
>> rm /etc/krb5.keytab2
>> rm /etc/krb5.keytab
>>
>> # i change the keytab to the needed name
>> (/etc/krb5.keytab)
>> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>>
>> net ads keytab create cifs/$(hostname -f)
>>
>> Verify the output.
>> klist -ke /etc/krb5.keytab | sort
>>
>> If you see the ALIAS hostname "oldsamba" again in the
>> keytab file.
>> Then removed from smb.conf :
>>
>> netbios aliases = OLDSAMBA
>>
>> Verify the DNS and make sure your realhostname does have
>> the A and PTR records set.
>> And remove all A/PTR related records to OLDSAMBA.
>> Add the CNAME for OLDSAMBA and point to the realhostname.
>>
>> Restart samba, repeat above.
>>
>> Still failing..
>> Then get this script:
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>> Run it, anonymize it and post the output.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>> ________________________________
>>
>> Van: banda bassotti [mailto:
>> bandabasotti at gmail.com]
>> Verzonden: dinsdag 5 november 2019 13:18
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Failed to find
>> cifs/fs-share at dom.corp (kvno 109) in keytab
>>
>>
>> Luis, ok I'v removed everything, step 1:
>>
>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab
>> CREATE -P
>>
>> klist -ke /etc/krb5.keytab2|grep 7|sort
>>
>>
>> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP (arcfour-hmac)
>> 7 host/FS-A at DOM.CORP (des-cbc-crc)
>> 7 host/FS-A at DOM.CORP (des-cbc-md5)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>
>>
>>
>> step2:
>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>> keytab ADD cifs/oldsamba.dom.corp at DOM.CORP
>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>> keytab ADD cifs/oldsamba at DOM.CORP
>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>> keytab ADD cifs/oldsamba$@DOM.CORP
>>
>>
>> klist
>>
>> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>> 7 cifs/oldsamba$@DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/oldsamba$@DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
>> 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
>> 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
>> 7 cifs/oldsamba at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/oldsamba at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/oldsamba at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/oldsamba at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP (arcfour-hmac)
>> 7 host/FS-A at DOM.CORP (des-cbc-crc)
>> 7 host/FS-A at DOM.CORP (des-cbc-md5)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>
>>
>> systemctl start nmbd smbd winbind
>>
>> test from windows machine:
>>
>> [2019/11/05 13:14:49.108879, 1]
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>> gss_accept_sec_context failed with [
>> Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno
>> 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>
>>
>> Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H.
>> van Belle <belle at bazuin.nl> ha scritto:
>>
>>
>> Ok, you did to much as far i can tell.
>>
>> You want to see this: i'll show my
>> output, then i is better to see what i mean.
>>
>> this is where you start with.
>> klist -ke |sort ( default member )
>> ----
>> --------------------------------------------------------------------------
>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (aes128-cts-hmac-sha1-96)
>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (aes256-cts-hmac-sha1-96)
>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (arcfour-hmac)
>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (des-cbc-crc)
>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>> (des-cbc-md5)
>> 3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>> (aes128-cts-hmac-sha1-96)
>> 3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>> (aes256-cts-hmac-sha1-96)
>> 3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
>> 3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
>> 3
>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (aes128-cts-hmac-sha1-96)
>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (aes256-cts-hmac-sha1-96)
>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (arcfour-hmac)
>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (des-cbc-crc)
>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>> (des-cbc-md5)
>>
>> In my case. my servers "real" name is
>> hostname1 and i have an alias, lets say mycrazyserver
>>
>> /etc/hosts
>> 127.0.0.1 localhost
>> 192.168.0.1
>> hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld
>> Host format:
>> IP REAL_HOSTNAME_FQDN ALIAS ALIAS
>>
>> Note, adding
>> mycrazyserver.internal.domain.tld should not be needed, because that is
>> resolved through dns.
>>
>> ping mycrazyserver.internal.domain.tld
>> will respond its reply with hostname1.internal.domain.tld hostname1
>>
>> If you add CIFS to you keytab you want to
>> see :
>> 3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>> (aes128-cts-hmac-sha1-96)
>> 3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>> (aes256-cts-hmac-sha1-96)
>> 3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
>> 3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
>> 3
>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
>> ( + whats above )
>>
>> Thats it..
>>
>> So you output should look like this.
>>
>> 7 cifs/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP
>> (arcfour-hmac)
>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (arcfour-hmac)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (des-cbc-crc)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (des-cbc-md5)
>> 7 FS-A$@DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>> 7 host/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96) < double = wrong
>> 7 host/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96) < double = wrong
>> 7 host/FS-A at DOM.CORP
>> (arcfour-hmac)
>> 7 host/FS-A at DOM.CORP
>> (arcfour-hmac) < double = wrong
>> 7 host/FS-A at DOM.CORP (des-cbc-crc)
>> 7 host/FS-A at DOM.CORP
>> (des-cbc-crc) < double = wrong
>> 7 host/FS-A at DOM.CORP (des-cbc-md5)
>> 7 host/FS-A at DOM.CORP
>> (des-cbc-md5) < double = wrong
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (arcfour-hmac)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (des-cbc-crc)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (des-cbc-md5)
>>
>>
>> So try again. ;-)
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>
>> ________________________________
>>
>> Van: banda bassotti [mailto:
>> bandabasotti at gmail.com]
>> Verzonden: dinsdag 5 november
>> 2019 12:06
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Failed to
>> find cifs/fs-share at dom.corp (kvno 109) in keytab
>>
>>
>> Luis, thank you very much, I
>> followed the procedure step by step (which I had already done) but
>> unfortunately I always have the same error:
>>
>>
>> [2019/11/05 11:49:47.748159, 1]
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>
>> gss_accept_sec_context failed
>> with [ Miscellaneous failure (see text): Failed to find
>> cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab
>> (arcfour-hmac-md5)]
>>
>>
>> please pay attention to (kvno
>> 113) the problem is here and not the keytab file.
>>
>>
>> klist -ke /etc/krb5.keyatb
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (des-cbc-crc)
>> 7 host/FS-A at DOM.CORP
>> (des-cbc-crc)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (des-cbc-md5)
>> 7 host/FS-A at DOM.CORP
>> (des-cbc-md5)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 host/fs-a.dom.corp at DOM.CORP
>> (arcfour-hmac)
>> 7 host/FS-A at DOM.CORP
>> (arcfour-hmac)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (des-cbc-crc)
>> 7 cifs/FS-A at DOM.CORP
>> (des-cbc-crc)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (des-cbc-md5)
>> 7 cifs/FS-A at DOM.CORP
>> (des-cbc-md5)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/fs-a.dom.corp at DOM.CORP
>> (arcfour-hmac)
>> 7 cifs/FS-A at DOM.CORP
>> (arcfour-hmac)
>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>> 7 FS-A$@DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>> 7 host/FS-A at DOM.CORP
>> (des-cbc-crc)
>> 7 host/FS-A at DOM.CORP
>> (des-cbc-md5)
>> 7 host/FS-A at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 host/FS-A at DOM.CORP
>> (arcfour-hmac)
>> 7 cifs/oldsamba at DOM.CORP
>> (des-cbc-crc)
>> 7 cifs/oldsamba at DOM.CORP
>> (des-cbc-md5)
>> 7 cifs/oldsamba at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/oldsamba at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/oldsamba at DOM.CORP
>> (arcfour-hmac)
>> 7 cifs/oldsamba at DOM.CORP
>> (des-cbc-crc)
>> 7 cifs/oldsamba at DOM.CORP
>> (des-cbc-md5)
>> 7 cifs/oldsamba at DOM.CORP
>> (aes128-cts-hmac-sha1-96)
>> 7 cifs/oldsamba at DOM.CORP
>> (aes256-cts-hmac-sha1-96)
>> 7 cifs/oldsamba at DOM.CORP
>> (arcfour-hmac)
>>
>>
>> to temporary solve this problem I
>> must extract the keytab of the oldsamba from the domain controller and
>> import with ktutil:
>>
>> # ktutil
>> ktutil: rkt oldsamba.keytab
>> ktutil: l
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>> 1 112
>> cifs/oldsamba at DOM.CORP
>> 2 112
>> cifs/oldsamba at DOM.CORP
>> 3 112
>> cifs/oldsamba at DOM.CORP
>> 4 113
>> cifs/oldsamba at DOM.CORP
>> 5 113
>> cifs/oldsamba at DOM.CORP
>> 6 113
>> cifs/oldsamba at DOM.CORP
>>
>>
>> please note the kvno column.
>>
>>
>> Il giorno mar 5 nov 2019 alle ore
>> 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
>>
>>
>> Hai,
>>
>> I've re-read you thread,
>> and there are a few things going-on..
>> I suggest you do the
>> following..
>>
>> Change these.
>>
>> /etc/krb5.conf
>> [libdefaults]
>> default_realm = DOM.CORP
>> dns_lookup_kdc = true
>> dns_lookup_realm = false
>> forwardable = true
>> proxiable = true
>> kdc_timesync = 1
>> debug = false
>>
>>
>> /etc/samba/smb.conf
>> [Global]
>> workgroup = WG1
>> realm = DOM.CORP
>> # Netbios names in
>> CAPS, see..
>> #
>> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
>> #
>> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
>> # Verify in DNS the
>> following, A - PTR records for netbios name, setup CNAME for all
>> alias-names,
>> # point CNAME to the A
>> record if which the PTR also exists..
>> netbios name = FS-A
>> netbios aliases =
>> OLDSAMBA
>> security = ADS
>> #
>> kerberos method =
>> secrets and keytab
>> dedicated keytab file
>> = /etc/krb5.keytab
>> # renew the kerberos
>> ticket
>> winbind refresh
>> tickets = yes
>>
>>
>> ON THIS MEMBER... ( you
>> dont run : samba-tool spn list ..... )
>> You run : net ads keytab
>>
>> cp
>> /etc/krb5.keytab{,.backup}
>> kinit Administrator
>>
>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>>
>> Verify this keytab.
>> klist -ke
>> /etc/krb5.keytab2
>>
>> You want to see :
>> host/NETBIOSNAME at DOM.CORP
>> ( x5 )
>>
>> host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
>> NETBIOSNAME$@DOM.CORP (
>> x5 )
>>
>> This you see these..
>> Then run this to add the cifs keytab.
>>
>>
>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>> cifs/fs-a.yourdns.domain.tld
>>
>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
>>
>> Verify the keytab file
>> again.
>> klist -ke
>> /etc/krb5.keytab2
>>
>> If it all looks good.
>>
>> Stop all samba service
>> rm /etc/krb5.keytab .. (
>> a backupfile is made if you followed above )
>> mv /etc/krb5.keytab2
>> /etc/krb5.keytab
>>
>>
>> That "should" do the
>> trick..
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>> > -----Oorspronkelijk
>> bericht-----
>> > Van: samba [mailto:
>> samba-bounces at lists.samba.org] Namens
>> > banda bassotti via samba
>> > Verzonden: dinsdag 5
>> november 2019 9:49
>> > Aan: Rowland penny
>> > CC: sambalist
>> > Onderwerp: Re: [Samba]
>> Failed to find cifs/fs-share at dom.corp
>> > (kvno 109) in keytab
>> >
>> > hi, nothing to do,
>> despite having set winbind not to change
>> > the machine
>> > password the behavior
>> is the same. I do not know what to do.
>> > other ideas?
>> >
>> > thnx.
>> >
>> > Il giorno mar 29 ott
>> 2019 alle ore 11:37 banda bassotti <
>> > bandabasotti at gmail.com>
>> ha scritto:
>> >
>> > > Hi, the problem seems
>> to be related to this bug:
>> > >
>> > >
>> https://bugzilla.samba.org/show_bug.cgi?id=6750
>> > >
>> > > I try therefore to set
>> > >
>> > > machine password
>> timeout = 0
>> > >
>> > >
>> > >
>> > > Il giorno mar 29 ott
>> 2019 alle ore 11:11 Rowland penny via samba <
>> > > samba at lists.samba.org>
>> ha scritto:
>> > >
>> > >> On 29/10/2019 10:04,
>> banda bassotti wrote:
>> > >> > I had already done
>> it:
>> > >> >
>> > >> > # samba-tool spn
>> list newsamba\$
>> > >> > newsamba$
>> > >> > User
>> CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
>> > >> >
>> servicePrincipalName:
>> > >> >
>> HOST/NEWSAMBA
>> > >> >
>> HOST/newsamba.domain.corp
>> > >> >
>> cifs/oldsamba at DOMAIN.CORP
>> > >> >
>> cifs/oldsamba.domain.corp at DOMAIN.CORP
>> > >>
>> > >> From your log
>> fragment, it appears to be looking for
>> > >>
>> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
>> > probably have to
>> > >> remove the lowercase
>> version SPN and replace it with the uppercase
>> > >> version.
>> > >>
>> > >> Rowland
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> To unsubscribe from
>> this list go to the following URL and read the
>> > >> instructions:
>> https://lists.samba.org/mailman/options/samba
>> > >>
>> > >
>> > --
>> > To unsubscribe from
>> this list go to the following URL and read the
>> > instructions:
>> https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list