[Samba] Kerberos problems with only some servers
L.P.H. van Belle
belle at bazuin.nl
Thu Apr 29 08:57:08 UTC 2021
hmm, config look ok from what i see below,
Can you run this :
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
And post the content, if you anonymize it, keep structures/Caps as the are.
Like INTERNAL.REALM.TLD of WORKGROUP
Im on road in few min, so im will reply later.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
> Zachlod via samba
> Verzonden: donderdag 29 april 2021 10:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Kerberos problems with only some servers
>
> Yes, time is OK:
>
> root at adfs01:~# date -R
> Thu, 29 Apr 2021 10:33:37 +0200
>
> root at addc08:~# date -R
> Thu, 29 Apr 2021 10:33:47 +0200
>
> On 4/29/21 10:29 AM, L.P.H. van Belle via samba wrote:
> > Is time in sync?
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
> >> Zachlod via samba
> >> Verzonden: donderdag 29 april 2021 10:08
> >> Aan: samba
> >> Onderwerp: [Samba] Kerberos problems with only some servers
> >>
> >> Hi,
> >>
> >> I have a weird Kerberos problem (I think) that pretty much
> >> came over night.
> >>
> >> I have a domain with multiple DCs (Debian/Samba 4.11), all in
> >> different
> >> AD Sites. Replication works according to 'samba-tool drs showrepl'.
> >>
> >> In the sites I have Linux based fileservers as domain members and
> >> Windows based clients. Somehow, it's not possible anymore
> to log into
> >> some of the file servers. On Windows, the Client just asks
> >> for username
> >> + password, and if you give both, it won't get accepted.
> >>
> >> On the file server, I get these log entrys:
> >>
> >> [2021/04/29 09:39:37.439432, 1]
> >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
> >> gss_accept_sec_context failed with [ Miscellaneous failure (see
> >> text): Decrypt integrity check failed for checksum type
> >> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
> >> [2021/04/29 09:39:37.439817, 1]
> >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
> >> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> >>
> >> wbinfo -u also returns empty on the file server, but not on
> >> any of the
> >> DCs. I'm a bit puzzled and don't really know what to do/ how
> >> to debug.
> >> Has anyone any idea how to debug this situation any further?
> >>
> >> - Arne
> >>
> >> ====== krb5.conf - same on all servers
> >>
> >> [libdefaults]
> >> default_realm = INT.SAMDOM.DE
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >>
> >> ====== smb.conf fore the DC ========
> >>
> >> # Global parameters
> >> [global]
> >> workgroup = SAMDOM
> >> realm = int.samdom.de
> >> netbios name = ADDC08
> >> server role = active directory domain controller
> >> dns forwarder = 10.1.1.1
> >> idmap_ldb:use rfc2307 = yes
> >> server signing = Auto
> >> allow dns updates = nonsecure
> >>
> >> [netlogon]
> >> path = /var/lib/samba/sysvol/int.samdom.de/scripts
> >> read only = No
> >>
> >> [sysvol]
> >> path = /var/lib/samba/sysvol
> >> read only = No
> >>
> >> ===== smb.conf on one of the FS ====
> >>
> >> [global]
> >> netbios name = ADFS01
> >> security = ADS
> >> workgroup = SAMDOM
> >> realm = INT.SAMDOM.DE
> >>
> >> logfile = /var/log/samba/%m.log
> >> log level = 1
> >>
> >> idmap config *:backend = tdb
> >> idmap config *:range = 2000-9999
> >>
> >> # idmap config for domain SAMDOM
> >> idmap config SAMDOM:backend = ad
> >> idmap config SAMDOM:schema_mode = rfc2307
> >> idmap config SAMDOM:range = 10000-99999
> >>
> >> # Use settings from AD for login shell and home directory
> >> winbind nss info = rfc2307
> >>
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> winbind use default domain = yes
> >> winbind refresh tickets = yes
> >>
> >> kerberos method = secrets and keytab
> >> dedicated keytab file = /etc/krb5.keytab
> >>
> >> # fileshare options
> >> vfs objects = acl_xattr
> >> map acl inherit = yes
> >> store dos attributes = yes
> >>
> >> # test share
> >>
> >> [test]
> >> path = /srv/samba/test
> >> read only = no
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list