[Samba] Domain admin can't access share on samba dm-server

Stefan G. Weichinger lists at xunil.at
Wed Dec 29 16:49:31 UTC 2021 

Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba:
> First..
> 
> Use FQDN's in you shares.

But ... it worked like this for years ;-)

> Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows)
> https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

I am not guest, I am the domain admin in this context.

> klist -ke shows? Can you show the full output.

here you are:

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- 
--------------------------------------------------------------------------

    5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc)

    5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5)

    5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)

    5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)

    5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)

    5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc)

    5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5)

    5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)

    5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)

    5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc)

    2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5)

    2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc)

    2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5)

    2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc)

    2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5)

    2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc)

    2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5)

    2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc)

    3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc)

    2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5)

    3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5)

    2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96)

    3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96)

    3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac)

    3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)

    2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)

    2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)

    2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)






> For cifs (and nfs) you need the spn format like this.
> cifs/hostname.internal.domain.tld at REALM.TLD
> (net ads adds the REALM part automaticly)
> 
> If your host is using an CNAME for cifs then you need to add,
> cifs/cname.internal.domain.tld at REALM.TLD also


And WHY do I have to set that up again? I understand that kerberos has 
to work behind the curtains, but it doesn't sound efficient to me that 
this isn't negotiated by the machines themselves.

I mean, in the start I didn't do that either, correct?

> And its really adviced to give these server a PTR record.

There is a PTR

> How i do it.
> And ALWAYS backup you krb5.keytab file first.
> Dont know why sometimes ( in my case ) the KNVO is off
> When that happens i restore the original keytab file.
> 
> cp /etc/krb5.keytab{,.backup}
> kinit Administrator
> net ads keytab add_update_ads cifs/$(hostname -f)
> 
> Removing wrong entries i do like this, and maybe
> someone has beter ideas on this, please add it..
> 
> !! MAKE THAT BACKUP FIRST !!
> ktutil
> rkt /etc/krb5.keytab
> ? For help.
> wkt /etc/krb5.keytab.new
> 
> cp /etc/krb5.keytab.new  /etc/krb5.keytab
> 
> !! If you write the keytab as show above directly into /etc/krb5.keytab
> You get everything double.
> 
> When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are wrong.
> delent 21  << only one you need.. Just repeat it untill its all gone.
> 
> Hope this helped a bit.

Sure, thanks.

I see the path but have to think twice before I touch this production 
file server. users use it 24/7 ... my access from that windows server 
isn't that important right now (transferred my ISO via another server ...).

> Ps. Im picky but..
>> 	idmap config buero:range = 10000-99999
>> 	idmap config buero:backend = rid
> 
> bero should be BUERO

sigh

I showed the smb.conf-files of that site maybe 10 times here and every 
time I get another parameter pointed out as wrong. I wonder if it ever 
gets finished ;-)

Thanks anyway, I appreciate it!

More information about the samba mailing list