[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?
L.P.H. van Belle
belle at bazuin.nl
Wed Nov 20 08:26:30 UTC 2019
Your config looks ok, as far i can tell.
This : "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"
As it should spn/hostname.fqdn at REALM nothing wrong with that.
But if i understand it right.
Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL ( NTDOM:TC83 )
But you get TC84 back?.
On the problem server run the following:
dig a kvm7246-vm022.maas.local @IP_of_AD-DC
Gives an Returned_IP
dig -x Returned_IP @IP_of_AD-DC
hostname -s
hostname -f
hostname -I
hostname -A
cat /etc/resolv.conf
route -n|grep default
cat /etc/krb5.conf
Do you have 2 servers with the same hostname but in different DNS domains?
Like this one vm7246-vm022 <<
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Nathaniel W. Turner via samba
> Verzonden: dinsdag 19 november 2019 23:11
> Aan: banda bassotti
> CC: sambalist
> Onderwerp: Re: [Samba] Why is smbd looking for Kerberos
> principal cifs/host at DOMB when it is a member of DOMA?
>
> Is it expected that samba will be looking for a principal of the form
> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
>
> My guess is no, since the keytab (as I'd expect) only
> contains keys for
> principals in the server's domain, TC83.LOCAL. Is this a bug,
> or have I
> configured something incorrectly?
>
> On Tue, Nov 19, 2019 at 2:51 PM Nathaniel W. Turner <
> nathanielwyliet at gmail.com> wrote:
>
> > In case you missed the link in the original email, here's
> the smb.conf:
> >
> > [global]
> > kerberos method = secrets and keytab
> > logging = systemd
> > realm = TC83.LOCAL
> > security = ADS
> > template homedir = /home/%U@%D
> > template shell = /bin/bash
> > winbind offline logon = Yes
> > winbind refresh tickets = Yes
> > workgroup = TC83
> > idmap config * : range = 1000000-19999999
> > idmap config * : backend = autorid
> >
> >
> > [test]
> > path = /srv/test
> > valid users = "@tc83.local\domain users"
> "@tc84.local\domain users"
> >
> >
> > On Fri, Nov 15, 2019 at 3:02 PM Nathaniel W. Turner <
> > nathanielwyliet at gmail.com> wrote:
> >
> >> Here's the keytab info:
> >>
> >> ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab
> >> Keytab name: FILE:/etc/krb5.keytab
> >> KVNO Principal
> >> ----
> >>
> --------------------------------------------------------------
> ------------
> >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
> >> 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1)
> >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
> >> 12 host/KVM7246-VM022 at TC83.LOCAL (etype 3)
> >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL
> (aes128-cts-hmac-sha1-96)
> >> 12 host/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL
> (aes256-cts-hmac-sha1-96)
> >> 12 host/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >> 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
> >> 12 host/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
> >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
> >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 1)
> >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
> >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (etype 3)
> >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
> >> (aes128-cts-hmac-sha1-96)
> >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL
> >> (aes256-cts-hmac-sha1-96)
> >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >> 12 exagrid/kvm7246-vm022.tc83.local at TC83.LOCAL (arcfour-hmac)
> >> 12 exagrid/KVM7246-VM022 at TC83.LOCAL (arcfour-hmac)
> >> 12 KVM7246-VM022$@TC83.LOCAL (etype 1)
> >> 12 KVM7246-VM022$@TC83.LOCAL (etype 3)
> >> 12 KVM7246-VM022$@TC83.LOCAL (aes128-cts-hmac-sha1-96)
> >> 12 KVM7246-VM022$@TC83.LOCAL (aes256-cts-hmac-sha1-96)
> >> 12 KVM7246-VM022$@TC83.LOCAL (arcfour-hmac)
> >>
> >> The client is a Windows box, and I'm running this command:
> >>
> >> net use x: \\kvm7246-vm022.maas.local\test /user:tc84\administrator
> >>
> >> I see the same behavior when I use smbclient:
> >>
> >> smbclient //kvm7246-vm022.maas.local/test -U
> administrator at tc84.local
> >>
> >> On Fri, Nov 15, 2019 at 2:20 PM banda bassotti
> <bandabasotti at gmail.com>
> >> wrote:
> >>
> >>> Hi, please run the command:
> >>>
> >>> klist -ek /etc/krb5.keytab and post the output along with the file
> >>> smb.conf.
> >>> how do you access your share?
> >>>
> >>> \\kvm7246-vm022.maas.local\\
> >>> <https://lists.samba.org/mailman/listinfo/samba>sharename"
> >>>
> >>> or something like that?
> >>>
> >>> bb.
> >>>
> >>>
> >>>
> >>> Il giorno ven 15 nov 2019 alle ore 18:24 Nathaniel W.
> Turner via samba <
> >>> samba at lists.samba.org> ha scritto:
> >>>
> >>>> Hi all. I’m trying to understand a weird authentication failure:
> >>>>
> >>>> I have two domains (TC83.LOCAL and TC84.LOCAL), each in
> a diferent
> >>>> forest,
> >>>> with a bidirectional forest trust.
> >>>> The samba server kvm7246-vm022.maas.local is a domain
> member of TC83
> >>>> and is
> >>>> running a recent build from git master (f38077ea5ee).
> >>>>
> >>>> When I test authentication of users in each domain by
> running ntlm_auth
> >>>> on
> >>>> the samba server, it is successful for users in either domain.
> >>>>
> >>>> When I try to connect from a Windows client in TC84
> using SMB, it is
> >>>> only
> >>>> successful for users in the TC83 domain. For users in
> the TC84 domain,
> >>>> smbd
> >>>> seems to go off the rails looking for a Kerberos machine
> principal in
> >>>> the
> >>>> TC84 domain, even though it is not a member of that
> domain (it's a
> >>>> member
> >>>> of TC83, which trusts TC84):
> >>>>
> >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]: [2019/11/15
> >>>> 15:53:04.524996, 1,
> >>>> pid=15209, effective(0, 0), real(0, 0)]
> >>>> ../../source3/librpc/crypto/gse.c:659(gse_get_server_auth_token)
> >>>> Nov 15 15:53:04 kvm7246-vm022 smbd[15209]:
> gss_accept_sec_context
> >>>> failed
> >>>> with [ Miscellaneous failure (see text): Failed to find
> >>>> cifs/kvm7246-vm022.maas.local at TC84.LOCAL(kvno 10) in keytab
> >>>> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> >>>>
> >>>> Why is smbd looking for a principal of the form
> >>>> "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"?
> >>>>
> >>>> n
> >>>>
> >>>> [See
> >>>>
> https://drive.google.com/drive/folders/1jsVWHL--mVEnK9pDFUajyt
> 2nQQ5cLpOQ
> >>>> for
> >>>> full logs and smb.conf]
> >>>> --
> >>>> To unsubscribe from this list go to the following URL
> and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list