[Samba] Kerberos problems with only some servers

L.P.H. van Belle belle at bazuin.nl
Thu Apr 29 08:29:38 UTC 2021 

Is time in sync? 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne 
> Zachlod via samba
> Verzonden: donderdag 29 april 2021 10:08
> Aan: samba
> Onderwerp: [Samba] Kerberos problems with only some servers
> 
> Hi,
> 
> I have a weird Kerberos problem (I think) that pretty much 
> came over night.
> 
> I have a domain with multiple DCs (Debian/Samba 4.11), all in 
> different 
> AD Sites. Replication works according to 'samba-tool drs showrepl'.
> 
> In the sites I have Linux based fileservers as domain members and 
> Windows based clients. Somehow, it's not possible anymore to log into 
> some of the file servers. On Windows, the Client just asks 
> for username 
> + password, and if you give both, it won't get accepted.
> 
> On the file server, I get these log entrys:
> 
> [2021/04/29 09:39:37.439432,  1] 
> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [ Miscellaneous failure (see 
> text): Decrypt integrity check failed for checksum type 
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
> [2021/04/29 09:39:37.439817,  1] 
> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>    SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> 
> wbinfo -u also returns empty on the file server, but not on 
> any of the 
> DCs. I'm a bit puzzled and don't really know what to do/ how 
> to debug. 
> Has anyone any idea how to debug this situation any further?
> 
> - Arne
> 
> ====== krb5.conf - same on all servers
> 
> [libdefaults]
> 	default_realm = INT.SAMDOM.DE
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> ====== smb.conf fore the DC ========
> 
> # Global parameters
> [global]
> 	workgroup = SAMDOM
> 	realm = int.samdom.de
> 	netbios name = ADDC08
> 	server role = active directory domain controller
> 	dns forwarder = 10.1.1.1
> 	idmap_ldb:use rfc2307 = yes
> 	server signing = Auto
> 	allow dns updates = nonsecure
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/int.samdom.de/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> ===== smb.conf on one of the FS ====
> 
> [global]
> 	netbios name = ADFS01
> 	security = ADS
> 	workgroup = SAMDOM
> 	realm = INT.SAMDOM.DE
> 
> 	logfile = /var/log/samba/%m.log
> 	log level = 1
> 
> 	idmap config *:backend = tdb
> 	idmap config *:range = 2000-9999
> 
> 	# idmap config for domain SAMDOM
> 	idmap config SAMDOM:backend = ad
> 	idmap config SAMDOM:schema_mode = rfc2307
> 	idmap config SAMDOM:range = 10000-99999
> 
> 	# Use settings from AD for login shell and home directory
> 	winbind nss info = rfc2307
> 	
> 	winbind enum users = yes
> 	winbind enum groups = yes
> 	winbind use default domain = yes
> 	winbind refresh tickets = yes
> 
> 	kerberos method = secrets and keytab
> 	dedicated keytab file = /etc/krb5.keytab
> 
> 	# fileshare options
> 	vfs objects = acl_xattr
> 	map acl inherit = yes
> 	store dos attributes = yes
> 
> # test share
> 
> [test]
> 	path = /srv/samba/test
> 	read only = no
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list