[Samba] Kerberos problems with only some servers

L.P.H. van Belle belle at bazuin.nl
Thu Apr 29 08:57:08 UTC 2021 

hmm, config look ok from what i see below, 

Can you run this : 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 

And post the content, if you anonymize it, keep structures/Caps as the are. 
Like INTERNAL.REALM.TLD of WORKGROUP

Im on road in few min, so im will reply later. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne 
> Zachlod via samba
> Verzonden: donderdag 29 april 2021 10:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Kerberos problems with only some servers
> 
> Yes, time is OK:
> 
> root at adfs01:~# date -R
> Thu, 29 Apr 2021 10:33:37 +0200
> 
> root at addc08:~# date -R
> Thu, 29 Apr 2021 10:33:47 +0200
> 
> On 4/29/21 10:29 AM, L.P.H. van Belle via samba wrote:
> > Is time in sync?
> > 
> > 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
> >> Zachlod via samba
> >> Verzonden: donderdag 29 april 2021 10:08
> >> Aan: samba
> >> Onderwerp: [Samba] Kerberos problems with only some servers
> >>
> >> Hi,
> >>
> >> I have a weird Kerberos problem (I think) that pretty much
> >> came over night.
> >>
> >> I have a domain with multiple DCs (Debian/Samba 4.11), all in
> >> different
> >> AD Sites. Replication works according to 'samba-tool drs showrepl'.
> >>
> >> In the sites I have Linux based fileservers as domain members and
> >> Windows based clients. Somehow, it's not possible anymore 
> to log into
> >> some of the file servers. On Windows, the Client just asks
> >> for username
> >> + password, and if you give both, it won't get accepted.
> >>
> >> On the file server, I get these log entrys:
> >>
> >> [2021/04/29 09:39:37.439432,  1]
> >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
> >>     gss_accept_sec_context failed with [ Miscellaneous failure (see
> >> text): Decrypt integrity check failed for checksum type
> >> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
> >> [2021/04/29 09:39:37.439817,  1]
> >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
> >>     SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> >>
> >> wbinfo -u also returns empty on the file server, but not on
> >> any of the
> >> DCs. I'm a bit puzzled and don't really know what to do/ how
> >> to debug.
> >> Has anyone any idea how to debug this situation any further?
> >>
> >> - Arne
> >>
> >> ====== krb5.conf - same on all servers
> >>
> >> [libdefaults]
> >> 	default_realm = INT.SAMDOM.DE
> >> 	dns_lookup_realm = false
> >> 	dns_lookup_kdc = true
> >>
> >> ====== smb.conf fore the DC ========
> >>
> >> # Global parameters
> >> [global]
> >> 	workgroup = SAMDOM
> >> 	realm = int.samdom.de
> >> 	netbios name = ADDC08
> >> 	server role = active directory domain controller
> >> 	dns forwarder = 10.1.1.1
> >> 	idmap_ldb:use rfc2307 = yes
> >> 	server signing = Auto
> >> 	allow dns updates = nonsecure
> >>
> >> [netlogon]
> >> 	path = /var/lib/samba/sysvol/int.samdom.de/scripts
> >> 	read only = No
> >>
> >> [sysvol]
> >> 	path = /var/lib/samba/sysvol
> >> 	read only = No
> >>
> >> ===== smb.conf on one of the FS ====
> >>
> >> [global]
> >> 	netbios name = ADFS01
> >> 	security = ADS
> >> 	workgroup = SAMDOM
> >> 	realm = INT.SAMDOM.DE
> >>
> >> 	logfile = /var/log/samba/%m.log
> >> 	log level = 1
> >>
> >> 	idmap config *:backend = tdb
> >> 	idmap config *:range = 2000-9999
> >>
> >> 	# idmap config for domain SAMDOM
> >> 	idmap config SAMDOM:backend = ad
> >> 	idmap config SAMDOM:schema_mode = rfc2307
> >> 	idmap config SAMDOM:range = 10000-99999
> >>
> >> 	# Use settings from AD for login shell and home directory
> >> 	winbind nss info = rfc2307
> >> 	
> >> 	winbind enum users = yes
> >> 	winbind enum groups = yes
> >> 	winbind use default domain = yes
> >> 	winbind refresh tickets = yes
> >>
> >> 	kerberos method = secrets and keytab
> >> 	dedicated keytab file = /etc/krb5.keytab
> >>
> >> 	# fileshare options
> >> 	vfs objects = acl_xattr
> >> 	map acl inherit = yes
> >> 	store dos attributes = yes
> >>
> >> # test share
> >>
> >> [test]
> >> 	path = /srv/samba/test
> >> 	read only = no
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> > 
> > 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list