[Samba] Kerberos problems with only some servers
L.P.H. van Belle
belle at bazuin.nl
Thu Apr 29 08:29:38 UTC 2021
Is time in sync?
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
> Zachlod via samba
> Verzonden: donderdag 29 april 2021 10:08
> Aan: samba
> Onderwerp: [Samba] Kerberos problems with only some servers
>
> Hi,
>
> I have a weird Kerberos problem (I think) that pretty much
> came over night.
>
> I have a domain with multiple DCs (Debian/Samba 4.11), all in
> different
> AD Sites. Replication works according to 'samba-tool drs showrepl'.
>
> In the sites I have Linux based fileservers as domain members and
> Windows based clients. Somehow, it's not possible anymore to log into
> some of the file servers. On Windows, the Client just asks
> for username
> + password, and if you give both, it won't get accepted.
>
> On the file server, I get these log entrys:
>
> [2021/04/29 09:39:37.439432, 1]
> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Decrypt integrity check failed for checksum type
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
> [2021/04/29 09:39:37.439817, 1]
> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>
> wbinfo -u also returns empty on the file server, but not on
> any of the
> DCs. I'm a bit puzzled and don't really know what to do/ how
> to debug.
> Has anyone any idea how to debug this situation any further?
>
> - Arne
>
> ====== krb5.conf - same on all servers
>
> [libdefaults]
> default_realm = INT.SAMDOM.DE
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> ====== smb.conf fore the DC ========
>
> # Global parameters
> [global]
> workgroup = SAMDOM
> realm = int.samdom.de
> netbios name = ADDC08
> server role = active directory domain controller
> dns forwarder = 10.1.1.1
> idmap_ldb:use rfc2307 = yes
> server signing = Auto
> allow dns updates = nonsecure
>
> [netlogon]
> path = /var/lib/samba/sysvol/int.samdom.de/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> ===== smb.conf on one of the FS ====
>
> [global]
> netbios name = ADFS01
> security = ADS
> workgroup = SAMDOM
> realm = INT.SAMDOM.DE
>
> logfile = /var/log/samba/%m.log
> log level = 1
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain SAMDOM
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
>
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
>
> # fileshare options
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # test share
>
> [test]
> path = /srv/samba/test
> read only = no
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list