[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

L.P.H. van Belle belle at bazuin.nl
Wed Nov 20 08:26:30 UTC 2019 

Your config looks ok, as far i can tell. 

This :  "cifs/kvm7246-vm022.maas.local at TC84.LOCAL" 
As it should spn/hostname.fqdn at REALM nothing wrong with that. 

But if i understand it right. 

Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL  ( NTDOM:TC83 )
But you get TC84 back?. 

On the problem server run the following: 

dig a kvm7246-vm022.maas.local @IP_of_AD-DC
Gives an Returned_IP

dig -x Returned_IP @IP_of_AD-DC

hostname -s
hostname -f 
hostname -I
hostname -A
cat /etc/resolv.conf
route -n|grep default 
cat /etc/krb5.conf

Do you have 2 servers with the same hostname but in different DNS domains? 
Like this one vm7246-vm022  << 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Nathaniel W. Turner via samba
> Verzonden: dinsdag 19 november 2019 23:11
> Aan: banda bassotti
> CC: sambalist
> Onderwerp: Re: [Samba] Why is smbd looking for Kerberos 
> principal cifs/host at DOMB when it is a member of DOMA?
> 
> Is it expected that samba will be looking for a principal of the form
> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
> 
> My guess is no, since the keytab (as I'd expect) only 
> contains keys for
> principals in the server's domain, TC83.LOCAL. Is this a bug, 
> or have I
> configured something incorrectly?
> 
> On Tue, Nov 19, 2019 at 2:51 PM Nathaniel W. Turner <
> nathanielwyliet at gmail.com> wrote:
> 
> > In case you missed the link in the original email, here's 
> the smb.conf:
> >
> > [global]
> > 	kerberos method = secrets and keytab
> > 	logging = systemd
> > 	realm = TC83.LOCAL
> > 	security = ADS
> > 	template homedir = /home/%U@%D
> > 	template shell = /bin/bash
> > 	winbind offline logon = Yes
> > 	winbind refresh tickets = Yes
> > 	workgroup = TC83
> > 	idmap config * : range = 1000000-19999999
> > 	idmap config * : backend = autorid
> >
> >
> > [test]
> > 	path = /srv/test
> > 	valid users = "@tc83.local\domain users" 
> "@tc84.local\domain users"
> >
> >
> > On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner <
> > nathanielwyliet at gmail.com> wrote:
> >
> >> Here's the keytab info:
> >>
> >> ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab
> >> Keytab name: FILE:/etc/krb5.keytab
> >> KVNO Principal
> >> ----
> >> 
> --------------------------------------------------------------
> ------------
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (etype 1)
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (etype 3)
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL 
> (aes128-cts-hmac-sha1-96)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL 
> (aes256-cts-hmac-sha1-96)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >>   12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
> >>   12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
> >> (aes128-cts-hmac-sha1-96)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
> >> (aes256-cts-hmac-sha1-96)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >>   12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
> >>   12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
> >>   12 KVM7246-VM022$@TC83.LOCAL (etype 1)
> >>   12 KVM7246-VM022$@TC83.LOCAL (etype 3)
> >>   12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >>   12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >>   12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac)
> >>
> >> The client is a Windows box, and I'm running this command:
> >>
> >> net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator
> >>
> >> I see the same behavior when I use smbclient:
> >>
> >> smbclient //kvm7246-vm022.maas.local/test -U 
> administrator at tc84.local
> >>
> >> On Fri, Nov 15, 2019 at 2:20 PM banda bassotti 
> <bandabasotti at gmail.com>
> >> wrote:
> >>
> >>> Hi, please run the command:
> >>>
> >>> klist -ek /etc/krb5.keytab and post the output along with the file
> >>> smb.conf.
> >>> how do you access your share?
> >>>
> >>> \\kvm7246-vm022.maas.local\\
> >>> <https://lists.samba.org/mailman/listinfo/samba>sharename"
> >>>
> >>> or something like that?
> >>>
> >>> bb.
> >>>
> >>>
> >>>
> >>> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W. 
> Turner via samba <
> >>> samba at lists.samba.org> ha scritto:
> >>>
> >>>> Hi all. I’m trying to understand a weird authentication failure:
> >>>>
> >>>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in 
> a diferent
> >>>> forest,
> >>>> with a bidirectional forest trust.
> >>>> The samba server kvm7246-vm022.maas.local is a domain 
> member of TC83
> >>>> and is
> >>>> running a recent build from git master (f38077ea5ee).
> >>>>
> >>>> When I test authentication of users in each domain by 
> running ntlm_auth
> >>>> on
> >>>> the samba server, it is successful for users in either domain.
> >>>>
> >>>> When I try to connect from a Windows client in TC84 
> using SMB, it is
> >>>> only
> >>>> successful for users in the TC83 domain. For users in 
> the TC84 domain,
> >>>> smbd
> >>>> seems to go off the rails looking for a Kerberos machine 
> principal in
> >>>> the
> >>>> TC84 domain, even though it is not a member of that 
> domain (it's a
> >>>> member
> >>>> of TC83, which trusts TC84):
> >>>>
> >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15
> >>>> 15:53:04.524996,  1,
> >>>> pid=15209, effective(0, 0), real(0, 0)]
> >>>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
> >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:   
> gss_accept_sec_context
> >>>> failed
> >>>> with [ Miscellaneous failure (see text): Failed to find
> >>>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
> >>>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> >>>>
> >>>> Why is smbd looking for a principal of the form
> >>>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
> >>>>
> >>>> n
> >>>>
> >>>> [See
> >>>> 
> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt
> 2nQQ5cLpOQ
> >>>> for
> >>>> full logs and smb.conf]
> >>>> --
> >>>> To unsubscribe from this list go to the following URL 
> and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list