[Samba] Domain admin can't access share on samba dm-server

Stefan G. Weichinger lists at xunil.at
Wed Dec 29 12:03:20 UTC 2021 

windows2019 server, logged in as domain admin

accessing \\pre01svdeb01 fails, I see this in the samba logs:

[2021/12/29 12:57:54.754005,  1] 
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
   gensec_spnego_server_negTokenInit_step: gse_krb5: parsing 
NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
[2021/12/29 12:57:54.769715,  1] 
../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token)
   gss_accept_sec_context failed with [ Miscellaneous failure (see 
text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab 
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
[2021/12/29 12:57:54.769829,  1] 
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)

googled, tried:

# net ads keytab add_update_ads   cifs/pre01svdeb01 at mydom.AT -U 
Administrator

Doesn't help

net ads keytab list

shows multiple lines containing "cifs/pre01svdeb01 at mydom.AT"

also with "aes256-cts-hmac-sha1-96"

when I look closer there are 2 sets of lines, three in uppercase like:

   2  aes256-cts-hmac-sha1-96                     cifs/PRE01SVdeb01 at MYDOM.AT

three in lower case:

   2  aes256-cts-hmac-sha1-96                     cifs/pre01svdeb01 at MYDOM.AT

- what should I do?

This is samba Version 4.14.11-Debian.

# Global parameters
[global]
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	load printers = No
	log file = /var/log/samba/%m.log
	logon home = ""
	logon path = ""
	map to guest = Bad User
	max log size = 150000
	netbios name = SERVER
	printcap name = /dev/null
	realm = MYDOM.AT
	security = ADS
	template homedir = /mnt/samba/Daten/%U
	template shell = /bin/bash
	username map = /etc/samba/smbusers
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = BUERO
	full_audit:priority = notice
	full_audit:facility = local5
	full_audit:success = mkdir rmdir read pread write pwrite rename unlink
	full_audit:failure = connect
	full_audit:prefix = %u|%I|%m|%S
	idmap config buero:range = 10000-99999
	idmap config buero:backend = rid
	idmap config *:range = 2000-9999
	idmap config * : backend = tdb
	hosts allow = localhost 192.168.16. 172.32.99.
	map acl inherit = Yes
	printing = bsd
	vfs objects = acl_xattr

More information about the samba mailing list