[Samba] Error trying to access samba sharing using netbios name

Garcia JR garciajr at gmail.com
Tue Jul 14 17:25:28 UTC 2020 

I got it fixed now, then just for the records, case someone face the same
issue.

Leaving and rejoining the Domain,made kvno reset to 2 -  (net ads leave/net
ads join)

Then I have rebooted windows workstation, since it still was making
reference to old kvno 58. On some other workstations net use * /delete .y
and remap did the trick.




On Tue, Jul 14, 2020 at 1:24 PM Garcia JR <garciajr at gmail.com> wrote:

>  am getting this error in smbd.log when user try to open Share from
> Windows box:
>
> gss_accept_sec_context failed with [ Miscellaneous failure (see text):
> Failed to find cifs/mymember.my.domain.tld at MY.DOMAIN.TLD(kvno 58) in
> keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>
> I have made a research here in google and here in mail list before post
> this message. I see some similar issues, where the solution seems adding
> ‘cifs/mymember.my.domain.tld at MY.DOMAIN.TLD’ to keytab file. In my case,
> it was already there, as you can see below.
>
> In error message I see it’s making reference to keno 58, in my keytab it’s
> 64, not sure if it’s related or not. Is there a way to reset keyfrom
> memory? I tried to restart smbd and winbindd, but no luck.
>
> The same shared can be acessed if use ip adress instead
>
> ###########################################
> smb.conf
> ###########################################
> [global]
>         netbios name = mymember
>         server string = File Server in %L
> workgroup = accent
> security = ADS
> realm = MY.DOMAIN.TLD
> password server = mad
> encrypt passwords = true
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 5000-9999
> idmap config SAMDOM:backend = ad
>     idmap config SAMDOM:schema_mode = rfc2307
>     idmap config SAMDOM:range = 10000-99999
>
>   max protocol = SMB2
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
> winbind use default domain = yes
> winbind separator = +
> winbind enum users  = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind cache time = 60
>
>
>         ; misc options
>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
> SO_RCVBUF=8192
>         time server = yes
>
>         ; do not show files starting with dots
>         hide dot files = yes
>
>         ; do not allow guest access, use only local system accounts
>         guest ok = no
>
>         ; log (tam max log em kB)
>         log level = 1
>         #log level = 3 passdb:5 auth:10 winbind:10
>         log file = /var/log/samba/log.%L
>         max log size = 10000
>         debug timestamp = yes
>         #syslog = 1
>
> remote announce = 192.168.0.0/24 172.16.170.0/24 192.168.150.0/24
> 172.17.0.0/24
>     remote browse sync = 192.168.0.0/24 192.168.150.0/24 172.16.170.0/24
> 172.17.0.0/24
>
> hosts allow = 127.0.0.1 192.168.0.0/24 192.168.150.0/24 172.16.170.0/24
> 172.17.0.0/24
>
> obey pam restrictions = no
>
> ###########################################
> ## KEY TAB FILE
>
> $ klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>   64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-crc)
>   64 cifs/mymember at MY.DOMAIN.TLD (des-cbc-crc)
>   64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-md5)
>   64 cifs/mymember at MY.DOMAIN.TLD (des-cbc-md5)
>   64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>   64 cifs/mymember at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>   64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>   64 cifs/mymember at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>   64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (arcfour-hmac)
>   64 cifs/mymember at MY.DOMAIN.TLD (arcfour-hmac)
>   64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-crc)
>   64 host/mymember at MY.DOMAIN.TLD (des-cbc-crc)
>   64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-md5)
>   64 host/mymember at MY.DOMAIN.TLD (des-cbc-md5)
>   64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>   64 host/mymember at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>   64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>   64 host/mymember at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>   64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (arcfour-hmac)
>   64 host/mymember at MY.DOMAIN.TLD (arcfour-hmac)
>   64 MYMEMBER$@MY.DOMAIN.TLD (des-cbc-crc)
>   64 MYMEMBER$@MY.DOMAIN.TLD (des-cbc-md5)
>   64 MYMEMBER$@MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
>   64 MYMEMBER$@MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
>   64 MYMEMBER$@MY.DOMAIN.TLD (arcfour-hmac)
>
> --
> Garcia
>


-- 
Garcia

More information about the samba mailing list