[Samba] Domain admin can't access share on samba dm-server
Stefan G. Weichinger
lists at xunil.at
Wed Dec 29 12:03:20 UTC 2021
windows2019 server, logged in as domain admin
accessing \\pre01svdeb01 fails, I see this in the samba logs:
[2021/12/29 12:57:54.754005, 1]
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
[2021/12/29 12:57:54.769715, 1]
../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
[2021/12/29 12:57:54.769829, 1]
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
googled, tried:
# net ads keytab add_update_ads cifs/pre01svdeb01 at mydom.AT -U
Administrator
Doesn't help
net ads keytab list
shows multiple lines containing "cifs/pre01svdeb01 at mydom.AT"
also with "aes256-cts-hmac-sha1-96"
when I look closer there are 2 sets of lines, three in uppercase like:
2 aes256-cts-hmac-sha1-96 cifs/PRE01SVdeb01 at MYDOM.AT
three in lower case:
2 aes256-cts-hmac-sha1-96 cifs/pre01svdeb01 at MYDOM.AT
- what should I do?
This is samba Version 4.14.11-Debian.
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
load printers = No
log file = /var/log/samba/%m.log
logon home = ""
logon path = ""
map to guest = Bad User
max log size = 150000
netbios name = SERVER
printcap name = /dev/null
realm = MYDOM.AT
security = ADS
template homedir = /mnt/samba/Daten/%U
template shell = /bin/bash
username map = /etc/samba/smbusers
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = BUERO
full_audit:priority = notice
full_audit:facility = local5
full_audit:success = mkdir rmdir read pread write pwrite rename unlink
full_audit:failure = connect
full_audit:prefix = %u|%I|%m|%S
idmap config buero:range = 10000-99999
idmap config buero:backend = rid
idmap config *:range = 2000-9999
idmap config * : backend = tdb
hosts allow = localhost 192.168.16. 172.32.99.
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr
More information about the samba
mailing list