[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
banda bassotti
bandabasotti at gmail.com
Tue Nov 5 16:10:03 UTC 2019
samba-tool computer remove oldsamba
Il giorno mar 5 nov 2019 alle ore 17:04 L.P.H. van Belle <belle at bazuin.nl>
ha scritto:
> Hai,
>
> Well that great you found it.
>
> Ah.. so you removed the entry from the DNS or ADDB?
> Can you tell what you exactly did, that might help the next person with a
> problem like this.
>
> And not many list messages today.. ;-) so no worries..
>
> I suspect you removed the old account name from OU=Computers, because..
> (And my fault here was not to check that sooner.. )
>
> if you use an call what needs SPN, it looks it up in AD and DNS.
> First DNS then ADDB and I only focused on DNS.. :-/ while the XXXX/spn
> entries are in COMPUTERNAME$ in ADDB..
>
> One to remember... and yes, this should be found quicker.
>
>
> Greetz,
>
> Louis
>
>
> ------------------------------
> *Van:* banda bassotti [mailto:bandabasotti at gmail.com]
> *Verzonden:* dinsdag 5 november 2019 16:56
> *Aan:* L.P.H. van Belle
> *CC:* samba at lists.samba.org
> *Onderwerp:* Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109)
> in keytab
>
> Luis, Rowland I'v found the problem, I feel like an idiot:
>
> 1) for making you lose all this time
> 2) because I have not checked before
>
> the oldsamba machine account was still present on the domain controllers :(
>
> sorry :(
>
> Il giorno mar 5 nov 2019 alle ore 16:36 banda bassotti <
> bandabasotti at gmail.com> ha scritto:
>
>> Luis, my typos, I'v to mask the output sorry (compliance)
>>
>> # su - testuser
>> $ smbclient --option='client min protocol=NT1' -U testuser
>> //oldsamba/testuser -c 'ls'
>> Unable to initialize messaging context
>> Enter DOM\testuser's password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> [2019/11/05 15:50:50.009481, 1]
>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>> gss_accept_sec_context failed with [ Miscellaneous failure (see text):
>> Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab
>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> [2019/11/05 15:50:50.009564, 1]
>> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
>> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
>> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>>
>> the same test from windows machine fail with user credential request.
>>
>> $ host oldsamba
>> oldsamba.dom.corp is an alias for fs-a.dom.corp.
>> fs-a.dom.corp has address 10.0.0.2
>>
>> $ head /etc/hosts
>> 127.0.0.1 localhost
>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba
>>
>> I accepted your suggestions and modified smb.conf accordingly, thanks.
>>
>> Il giorno mar 5 nov 2019 alle ore 15:43 L.P.H. van Belle via samba <
>> samba at lists.samba.org> ha scritto:
>>
>>> Ok,
>>>
>>> Your keytab looks ok now.
>>>
>>> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
>>> fs-a.dom.corp has address 10.0.0.2
>>>
>>> i would have expected here.
>>> oldsamba.dom.corp is an alias for fs-a.dom.corp.
>>> fs-a.dom.corp has address 10.0.0.2
>>>
>>> Or was that a typo? I assuming a typo..
>>>
>>> About your setup from the script outpout.
>>>
>>> Change this one.
>>> /etc/hosts
>>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong
>>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct
>>> Or
>>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct
>>>
>>> Here i personaly preffer :
>>> 10.0.0.2 fs-a.dom.corp fs-a
>>>
>>> And add the cname to the DNS.
>>>
>>> Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry)
>>>
>>> ALIAS, if you use a "single lable" alias-name, as in, only the
>>> hostname-alias without the domain part.
>>> Then that hostname can/should only be use on the server, because, its
>>> missing the domain part.
>>>
>>> I do the same here, this is how i use it. ( from a 4.11.2 member to a
>>> .. yes 3.6.x server, i still have one running.. :-/
>>> smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls'
>>> -k wont work here, dont ask why, that i dont know.
>>>
>>> To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls'
>>>
>>> /etc/samba/smb.conf
>>> You can remove, these after testing, or set to no and use getent
>>> passwd/group username/groupname if you want to see the groups.
>>> winbind enum groups = yes
>>> winbind enum users = yes
>>>
>>> Why is this used : getwd cache = yes ?
>>> For my understanding, i think you can remove it, because this is should
>>> be handled differently in samba4.
>>>
>>> Your allowing : usershare allow guests = yes
>>> but you disable the share location : usershare path =
>>> or use it or disabled it, now its?? you tell me.. ;-) .
>>>
>>> but beside above points your setup looks pretty good.
>>>
>>> @Rowland,
>>> This might help you understanding my responce on this one.
>>>
>>> > You are creating a keytab, which may or may not be called
>>> /etc/krb5.keytab2
>>>
>>> ^^^^^^^^ was only used to not accidently destroy his old keytab file.
>>> But since its replaced anyway now.
>>>
>>> Ps, keytab name is not significant.
>>> What is significantis, what is set for : default_keytab_name in
>>> krb5.conf
>>> Which ofcourse defaults to FILE:/etc/krb5.keytab
>>>
>>>
>>> > > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
>>> > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>> >
>>> > Then something reads the keytab in memory and cannot find the
>>> > required SPN, or to put it another way, whatever is trying to find the
>>> > SPN isn't reading the keytab you created above, it is reading the one
>>> in memory.
>>>
>>> Ok, this part above, yes, your right, its reading in memory, but to my
>>> believe,
>>> From: kerberos method = secrets and keytab, and as far i know
>>> "secrets" = MEMORY
>>> but ask youself, why is it using the "oldsamba" name if he is using
>>> oldsamba as aliasname.
>>> Thats the key here, so conclusion resolving problems/incorrectly setup.
>>>
>>> So there for im saying. ( typed this before i got the script output ).
>>> OLDSAMBA is still in /etc/hosts but before the newHostname
>>> Or it still has a dns A record.
>>> Or samba is also using the Netbios Alias names while creating keytab
>>> entries.
>>> ... And this, should in my opinion not happen, so lets wait what
>>> comes back.
>>> AND his keytab file is still incorrectly setup.
>>>
>>> And as i saw in the debug script output, i betting now on /etc/hosts
>>> that needs fixing.
>>>
>>> Resume.
>>>
>>> Change : /etc/hosts
>>> # this line to :
>>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp
>>> #Or
>>> 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS.
>>>
>>> Reboot the server or "stop/start" samba ( dont restart ) !
>>>
>>> Verify the hostname-alias
>>> hosts oldhostname.dom.corp
>>> hosts oldhostname
>>>
>>> And try again.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> Van: banda bassotti [mailto:bandabasotti at gmail.com]
>>> Verzonden: dinsdag 5 november 2019 14:49
>>> Aan: L.P.H. van Belle
>>> CC: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
>>> (kvno 109) in keytab
>>>
>>>
>>> systemctl stop nmbd smbd winbind
>>> rm -f /etc/krb5.keyatb*
>>> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
>>> net ads keytab create cifs/$(hostname -f)
>>> klist -ke /etc/krb5.keytab | sort
>>>
>>> ----
>>> --------------------------------------------------------------------------
>>> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>>> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP (arcfour-hmac)
>>> 7 host/FS-A at DOM.CORP (des-cbc-crc)
>>> 7 host/FS-A at DOM.CORP (des-cbc-md5)
>>> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Principal
>>>
>>>
>>> systemctl start nmbd smbd winbind
>>>
>>> # host oldsamba
>>> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
>>> fs-a.dom.corp has address 10.0.0.2
>>>
>>>
>>> $ kinit testuser
>>> $ smbclient //oldsamba/testuser -k -c 'ls'
>>> Unable to initialize messaging context
>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>>
>>>
>>> [2019/11/05 14:32:18.863122, 1]
>>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>> gss_accept_sec_context failed with [ Miscellaneous failure
>>> (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>> [2019/11/05 14:32:18.863192, 1]
>>> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step)
>>> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
>>> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
>>>
>>>
>>> attached the samba-debug-info.txt
>>>
>>> Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <
>>> belle at bazuin.nl> ha scritto:
>>>
>>>
>>> Hai,
>>>
>>> Nope.. To much again ;-)
>>>
>>> This is one step to much:
>>> step2:
>>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>>> cifs/oldsamba.dom.corp at DOM.CORP
>>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>>> cifs/oldsamba at DOM.CORP
>>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>>> cifs/oldsamba$@DOM.CORP
>>>
>>> And why are you adding @REALM .. Do it exactly as shown
>>> below.
>>>
>>> Because a CNAME resolves to the REAL hostname it's A
>>> record, then Kerberos used the A of the real hostname and (might) verify
>>> the PTR also.
>>>
>>> So again and exactly as show, because your "Default
>>> realm" is used automaticly.
>>>
>>> kinit Administrator
>>> *(you see here: Password for Administrator at REALM: )
>>>
>>> stop samba and related services.
>>>
>>> rm /etc/krb5.keytab2
>>> rm /etc/krb5.keytab
>>>
>>> # i change the keytab to the needed name
>>> (/etc/krb5.keytab)
>>> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE
>>> -P
>>>
>>> net ads keytab create cifs/$(hostname -f)
>>>
>>> Verify the output.
>>> klist -ke /etc/krb5.keytab | sort
>>>
>>> If you see the ALIAS hostname "oldsamba" again in the
>>> keytab file.
>>> Then removed from smb.conf :
>>>
>>> netbios aliases = OLDSAMBA
>>>
>>> Verify the DNS and make sure your realhostname does have
>>> the A and PTR records set.
>>> And remove all A/PTR related records to OLDSAMBA.
>>> Add the CNAME for OLDSAMBA and point to the
>>> realhostname.
>>>
>>> Restart samba, repeat above.
>>>
>>> Still failing..
>>> Then get this script:
>>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>>> Run it, anonymize it and post the output.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>> ________________________________
>>>
>>> Van: banda bassotti [mailto:
>>> bandabasotti at gmail.com]
>>> Verzonden: dinsdag 5 november 2019 13:18
>>> Aan: L.P.H. van Belle
>>> CC: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Failed to find
>>> cifs/fs-share at dom.corp (kvno 109) in keytab
>>>
>>>
>>> Luis, ok I'v removed everything, step 1:
>>>
>>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>>> keytab CREATE -P
>>>
>>> klist -ke /etc/krb5.keytab2|grep 7|sort
>>>
>>>
>>> 7 cifs/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>>> 7 host/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP (arcfour-hmac)
>>> 7 host/FS-A at DOM.CORP (des-cbc-crc)
>>> 7 host/FS-A at DOM.CORP (des-cbc-md5)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>>
>>>
>>>
>>> step2:
>>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>>> keytab ADD cifs/oldsamba.dom.corp at DOM.CORP
>>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>>> keytab ADD cifs/oldsamba at DOM.CORP
>>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads
>>> keytab ADD cifs/oldsamba$@DOM.CORP
>>>
>>>
>>> klist
>>>
>>> 7 cifs/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac)
>>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc)
>>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>> 7 cifs/oldsamba$@DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba$@DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
>>> 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
>>> 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>>> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
>>> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>>> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
>>> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>>> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
>>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>>> 7 host/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP (arcfour-hmac)
>>> 7 host/FS-A at DOM.CORP (des-cbc-crc)
>>> 7 host/FS-A at DOM.CORP (des-cbc-md5)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
>>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
>>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
>>>
>>>
>>> systemctl start nmbd smbd winbind
>>>
>>> test from windows machine:
>>>
>>> [2019/11/05 13:14:49.108879, 1]
>>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>> gss_accept_sec_context failed with [
>>> Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno
>>> 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>
>>>
>>> Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H.
>>> van Belle <belle at bazuin.nl> ha scritto:
>>>
>>>
>>> Ok, you did to much as far i can tell.
>>>
>>> You want to see this: i'll show my
>>> output, then i is better to see what i mean.
>>>
>>> this is where you start with.
>>> klist -ke |sort ( default member )
>>> ----
>>> --------------------------------------------------------------------------
>>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>>> (aes128-cts-hmac-sha1-96)
>>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>>> (aes256-cts-hmac-sha1-96)
>>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>>> (arcfour-hmac)
>>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>>> (des-cbc-crc)
>>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD
>>> (des-cbc-md5)
>>> 3
>>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>>> (aes128-cts-hmac-sha1-96)
>>> 3
>>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>>> (aes256-cts-hmac-sha1-96)
>>> 3
>>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
>>> 3
>>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
>>> 3
>>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
>>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>>> (aes128-cts-hmac-sha1-96)
>>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>>> (aes256-cts-hmac-sha1-96)
>>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>>> (arcfour-hmac)
>>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>>> (des-cbc-crc)
>>> 3 HOSTNAME1$@REALM.DOMAIN.TLD
>>> (des-cbc-md5)
>>>
>>> In my case. my servers "real" name is
>>> hostname1 and i have an alias, lets say mycrazyserver
>>>
>>> /etc/hosts
>>> 127.0.0.1 localhost
>>> 192.168.0.1
>>> hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld
>>> Host format:
>>> IP REAL_HOSTNAME_FQDN ALIAS ALIAS
>>>
>>> Note, adding
>>> mycrazyserver.internal.domain.tld should not be needed, because that is
>>> resolved through dns.
>>>
>>> ping mycrazyserver.internal.domain.tld
>>> will respond its reply with hostname1.internal.domain.tld hostname1
>>>
>>> If you add CIFS to you keytab you want
>>> to see :
>>> 3
>>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>>> (aes128-cts-hmac-sha1-96)
>>> 3
>>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
>>> (aes256-cts-hmac-sha1-96)
>>> 3
>>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
>>> 3
>>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
>>> 3
>>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
>>> ( + whats above )
>>>
>>> Thats it..
>>>
>>> So you output should look like this.
>>>
>>> 7 cifs/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP
>>> (arcfour-hmac)
>>> 7 cifs/FS-A at DOM.CORP
>>> (des-cbc-crc)
>>> 7 cifs/FS-A at DOM.CORP
>>> (des-cbc-md5)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (arcfour-hmac)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (des-cbc-crc)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (des-cbc-md5)
>>> 7 FS-A$@DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP (arcfour-hmac)
>>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>>> 7 host/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96) < double = wrong
>>> 7 host/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96) < double = wrong
>>> 7 host/FS-A at DOM.CORP
>>> (arcfour-hmac)
>>> 7 host/FS-A at DOM.CORP
>>> (arcfour-hmac) < double = wrong
>>> 7 host/FS-A at DOM.CORP
>>> (des-cbc-crc)
>>> 7 host/FS-A at DOM.CORP
>>> (des-cbc-crc) < double = wrong
>>> 7 host/FS-A at DOM.CORP
>>> (des-cbc-md5)
>>> 7 host/FS-A at DOM.CORP
>>> (des-cbc-md5) < double = wrong
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (arcfour-hmac)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (des-cbc-crc)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (des-cbc-md5)
>>>
>>>
>>> So try again. ;-)
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>> ________________________________
>>>
>>> Van: banda bassotti [mailto:
>>> bandabasotti at gmail.com]
>>> Verzonden: dinsdag 5 november
>>> 2019 12:06
>>> Aan: L.P.H. van Belle
>>> CC: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Failed to
>>> find cifs/fs-share at dom.corp (kvno 109) in keytab
>>>
>>>
>>> Luis, thank you very much, I
>>> followed the procedure step by step (which I had already done) but
>>> unfortunately I always have the same error:
>>>
>>>
>>> [2019/11/05 11:49:47.748159, 1]
>>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>>>
>>> gss_accept_sec_context failed
>>> with [ Miscellaneous failure (see text): Failed to find
>>> cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab
>>> (arcfour-hmac-md5)]
>>>
>>>
>>> please pay attention to (kvno
>>> 113) the problem is here and not the keytab file.
>>>
>>>
>>> klist -ke /etc/krb5.keyatb
>>> Keytab name:
>>> FILE:/etc/krb5.keytab
>>> KVNO Principal
>>> ----
>>> --------------------------------------------------------------------------
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (des-cbc-crc)
>>> 7 host/FS-A at DOM.CORP
>>> (des-cbc-crc)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (des-cbc-md5)
>>> 7 host/FS-A at DOM.CORP
>>> (des-cbc-md5)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/fs-a.dom.corp at DOM.CORP
>>> (arcfour-hmac)
>>> 7 host/FS-A at DOM.CORP
>>> (arcfour-hmac)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (des-cbc-crc)
>>> 7 cifs/FS-A at DOM.CORP
>>> (des-cbc-crc)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (des-cbc-md5)
>>> 7 cifs/FS-A at DOM.CORP
>>> (des-cbc-md5)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/fs-a.dom.corp at DOM.CORP
>>> (arcfour-hmac)
>>> 7 cifs/FS-A at DOM.CORP
>>> (arcfour-hmac)
>>> 7 FS-A$@DOM.CORP (des-cbc-crc)
>>> 7 FS-A$@DOM.CORP (des-cbc-md5)
>>> 7 FS-A$@DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 FS-A$@DOM.CORP
>>> (arcfour-hmac)
>>> 7 host/FS-A at DOM.CORP
>>> (des-cbc-crc)
>>> 7 host/FS-A at DOM.CORP
>>> (des-cbc-md5)
>>> 7 host/FS-A at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 host/FS-A at DOM.CORP
>>> (arcfour-hmac)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (des-cbc-crc)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (des-cbc-md5)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (arcfour-hmac)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (des-cbc-crc)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (des-cbc-md5)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (aes128-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (aes256-cts-hmac-sha1-96)
>>> 7 cifs/oldsamba at DOM.CORP
>>> (arcfour-hmac)
>>>
>>>
>>> to temporary solve this problem
>>> I must extract the keytab of the oldsamba from the domain controller and
>>> import with ktutil:
>>>
>>> # ktutil
>>> ktutil: rkt oldsamba.keytab
>>> ktutil: l
>>> slot KVNO Principal
>>> ---- ----
>>> ---------------------------------------------------------------------
>>> 1 112
>>> cifs/oldsamba at DOM.CORP
>>> 2 112
>>> cifs/oldsamba at DOM.CORP
>>> 3 112
>>> cifs/oldsamba at DOM.CORP
>>> 4 113
>>> cifs/oldsamba at DOM.CORP
>>> 5 113
>>> cifs/oldsamba at DOM.CORP
>>> 6 113
>>> cifs/oldsamba at DOM.CORP
>>>
>>>
>>> please note the kvno column.
>>>
>>>
>>> Il giorno mar 5 nov 2019 alle
>>> ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:
>>>
>>>
>>> Hai,
>>>
>>> I've re-read you thread,
>>> and there are a few things going-on..
>>> I suggest you do the
>>> following..
>>>
>>> Change these.
>>>
>>> /etc/krb5.conf
>>> [libdefaults]
>>> default_realm =
>>> DOM.CORP
>>> dns_lookup_kdc = true
>>> dns_lookup_realm =
>>> false
>>> forwardable = true
>>> proxiable = true
>>> kdc_timesync = 1
>>> debug = false
>>>
>>>
>>> /etc/samba/smb.conf
>>> [Global]
>>> workgroup = WG1
>>> realm = DOM.CORP
>>> # Netbios names in
>>> CAPS, see..
>>> #
>>> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
>>> #
>>> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
>>> # Verify in DNS the
>>> following, A - PTR records for netbios name, setup CNAME for all
>>> alias-names,
>>> # point CNAME to the
>>> A record if which the PTR also exists..
>>> netbios name = FS-A
>>> netbios aliases =
>>> OLDSAMBA
>>> security = ADS
>>> #
>>> kerberos method =
>>> secrets and keytab
>>> dedicated keytab file
>>> = /etc/krb5.keytab
>>> # renew the kerberos
>>> ticket
>>> winbind refresh
>>> tickets = yes
>>>
>>>
>>> ON THIS MEMBER... ( you
>>> dont run : samba-tool spn list ..... )
>>> You run : net ads keytab
>>>
>>> cp
>>> /etc/krb5.keytab{,.backup}
>>> kinit Administrator
>>>
>>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>>>
>>> Verify this keytab.
>>> klist -ke
>>> /etc/krb5.keytab2
>>>
>>> You want to see :
>>> host/NETBIOSNAME at DOM.CORP
>>> ( x5 )
>>>
>>> host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
>>> NETBIOSNAME$@DOM.CORP (
>>> x5 )
>>>
>>> This you see these..
>>> Then run this to add the cifs keytab.
>>>
>>>
>>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
>>> cifs/fs-a.yourdns.domain.tld
>>>
>>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
>>>
>>> Verify the keytab file
>>> again.
>>> klist -ke
>>> /etc/krb5.keytab2
>>>
>>> If it all looks good.
>>>
>>> Stop all samba service
>>> rm /etc/krb5.keytab ..
>>> ( a backupfile is made if you followed above )
>>> mv /etc/krb5.keytab2
>>> /etc/krb5.keytab
>>>
>>>
>>> That "should" do the
>>> trick..
>>>
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>> > -----Oorspronkelijk
>>> bericht-----
>>> > Van: samba [mailto:
>>> samba-bounces at lists.samba.org] Namens
>>> > banda bassotti via
>>> samba
>>> > Verzonden: dinsdag 5
>>> november 2019 9:49
>>> > Aan: Rowland penny
>>> > CC: sambalist
>>> > Onderwerp: Re: [Samba]
>>> Failed to find cifs/fs-share at dom.corp
>>> > (kvno 109) in keytab
>>> >
>>> > hi, nothing to do,
>>> despite having set winbind not to change
>>> > the machine
>>> > password the behavior
>>> is the same. I do not know what to do.
>>> > other ideas?
>>> >
>>> > thnx.
>>> >
>>> > Il giorno mar 29 ott
>>> 2019 alle ore 11:37 banda bassotti <
>>> > bandabasotti at gmail.com>
>>> ha scritto:
>>> >
>>> > > Hi, the problem
>>> seems to be related to this bug:
>>> > >
>>> > >
>>> https://bugzilla.samba.org/show_bug.cgi?id=6750
>>> > >
>>> > > I try therefore to
>>> set
>>> > >
>>> > > machine password
>>> timeout = 0
>>> > >
>>> > >
>>> > >
>>> > > Il giorno mar 29 ott
>>> 2019 alle ore 11:11 Rowland penny via samba <
>>> > >
>>> samba at lists.samba.org> ha scritto:
>>> > >
>>> > >> On 29/10/2019
>>> 10:04, banda bassotti wrote:
>>> > >> > I had already
>>> done it:
>>> > >> >
>>> > >> > # samba-tool spn
>>> list newsamba\$
>>> > >> > newsamba$
>>> > >> > User
>>> CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
>>> > >> >
>>> servicePrincipalName:
>>> > >> >
>>> HOST/NEWSAMBA
>>> > >> >
>>> HOST/newsamba.domain.corp
>>> > >> >
>>> cifs/oldsamba at DOMAIN.CORP
>>> > >> >
>>> cifs/oldsamba.domain.corp at DOMAIN.CORP
>>> > >>
>>> > >> From your log
>>> fragment, it appears to be looking for
>>> > >>
>>> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
>>> > probably have to
>>> > >> remove the
>>> lowercase version SPN and replace it with the uppercase
>>> > >> version.
>>> > >>
>>> > >> Rowland
>>> > >>
>>> > >>
>>> > >>
>>> > >> --
>>> > >> To unsubscribe from
>>> this list go to the following URL and read the
>>> > >> instructions:
>>> https://lists.samba.org/mailman/options/samba
>>> > >>
>>> > >
>>> > --
>>> > To unsubscribe from
>>> this list go to the following URL and read the
>>> > instructions:
>>> https://lists.samba.org/mailman/options/samba
>>> >
>>> >
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
More information about the samba
mailing list