[Samba] Error trying to access samba sharing using netbios name

Garcia JR garciajr at gmail.com
Tue Jul 14 16:24:36 UTC 2020 

 am getting this error in smbd.log when user try to open Share from Windows
box:

gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/mymember.my.domain.tld at MY.DOMAIN.TLD(kvno 58) in keytab
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

I have made a research here in google and here in mail list before post
this message. I see some similar issues, where the solution seems adding
‘cifs/mymember.my.domain.tld at MY.DOMAIN.TLD’ to keytab file. In my case, it
was already there, as you can see below.

In error message I see it’s making reference to keno 58, in my keytab it’s
64, not sure if it’s related or not. Is there a way to reset keyfrom
memory? I tried to restart smbd and winbindd, but no luck.

The same shared can be acessed if use ip adress instead

###########################################
smb.conf
###########################################
[global]
        netbios name = mymember
        server string = File Server in %L
workgroup = accent
security = ADS
realm = MY.DOMAIN.TLD
password server = mad
encrypt passwords = true
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *:backend = tdb
idmap config *:range = 5000-9999
idmap config SAMDOM:backend = ad
    idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-99999

  max protocol = SMB2

  winbind nss info = rfc2307
  winbind trusted domains only = no
winbind use default domain = yes
winbind separator = +
winbind enum users  = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind cache time = 60


        ; misc options
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192
        time server = yes

        ; do not show files starting with dots
        hide dot files = yes

        ; do not allow guest access, use only local system accounts
        guest ok = no

        ; log (tam max log em kB)
        log level = 1
        #log level = 3 passdb:5 auth:10 winbind:10
        log file = /var/log/samba/log.%L
        max log size = 10000
        debug timestamp = yes
        #syslog = 1

remote announce = 192.168.0.0/24 172.16.170.0/24 192.168.150.0/24
172.17.0.0/24
    remote browse sync = 192.168.0.0/24 192.168.150.0/24 172.16.170.0/24
172.17.0.0/24

hosts allow = 127.0.0.1 192.168.0.0/24 192.168.150.0/24 172.16.170.0/24
172.17.0.0/24

obey pam restrictions = no

###########################################
## KEY TAB FILE

$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
  64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-crc)
  64 cifs/mymember at MY.DOMAIN.TLD (des-cbc-crc)
  64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-md5)
  64 cifs/mymember at MY.DOMAIN.TLD (des-cbc-md5)
  64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
  64 cifs/mymember at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
  64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
  64 cifs/mymember at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
  64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (arcfour-hmac)
  64 cifs/mymember at MY.DOMAIN.TLD (arcfour-hmac)
  64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-crc)
  64 host/mymember at MY.DOMAIN.TLD (des-cbc-crc)
  64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-md5)
  64 host/mymember at MY.DOMAIN.TLD (des-cbc-md5)
  64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
  64 host/mymember at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
  64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
  64 host/mymember at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
  64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (arcfour-hmac)
  64 host/mymember at MY.DOMAIN.TLD (arcfour-hmac)
  64 MYMEMBER$@MY.DOMAIN.TLD (des-cbc-crc)
  64 MYMEMBER$@MY.DOMAIN.TLD (des-cbc-md5)
  64 MYMEMBER$@MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
  64 MYMEMBER$@MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
  64 MYMEMBER$@MY.DOMAIN.TLD (arcfour-hmac)

-- 
Garcia

More information about the samba mailing list