[Samba] Issue with Keytab memory

Rowland penny rpenny at samba.org
Thu Jul 23 11:05:24 UTC 2020


On 23/07/2020 11:28, Georg.Biberger--- via samba wrote:
> Hello,
>
> I am using Samba as file server as member of a windows domain.
> Kerberos is configured with        kerberos method = secrets and keytab
>
> Currently some (not all) users get issues when connecting to samba shares from windows.
> In the corresponding samba logs I found entries:
> ....
> [2020/07/23 12:08:06.697678,  1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/lpeda1.muc at EUROPE.BMW.CORP(kvno 26) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> [2020/07/23 12:08:06.698028,  1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
>    gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> ...
>
> But when I run
> net ads keytab list| fgrep 26 | fgrep cifs/lpeda1.muc at EUROPE.BMW.CORP | fgrep aes256-cts-hmac-sha1-96
> I get the output
> 26  aes256-cts-hmac-sha1-96                     cifs/lpeda1.muc at EUROPE.BMW.CORP<mailto:cifs/lpeda1.muc at EUROPE.BMW.CORP>
>
> So the entry is available in Kerberos keytab, but why does samba fail to find this entry? And why does it work for most users and  only some users have this issue?
>
> I have restarted samba and cleared all caches, but this does not help.
>
> Kind regards
>
> Georg

'secrets and keytab' means look in secrets.tdb first, then in the system 
keytab.

It looks like the required key isn't in the keytab.

What OS is this ?

What Samba version ?

Can you please post your smb.conf.

Rowland





More information about the samba mailing list