[Samba] Debian 4.17.3 Kerberos/SPNEGO

Ingo Asche foren at asche-rz.de
Fri Nov 25 18:56:57 UTC 2022 

Hi Dale,

the funny thing: I have the same problem with Bullseye 64-bit 
4.17.3+dfsg-1 & dfsg-2 and shares rights over groups. If I set the 
rights direct to the user, it works.

And now the really funny thing: One user is working again and I'm not 
really sure why.

Waiting for dfsg-2 in the hope this might solve the problem I used the 
time to change or add some groups for my NAS devices and it seems till 
then the user is working again. He got most of the new groups.

I've tested the join, I've got on each device "Join is ok". It's really 
weird...

Regards
Ingo
https://github.com/WAdama

Dale via samba schrieb am 25.11.2022 um 17:33:
> I've been following all the threads about Debian's samba 4.17.3+dfsg-1 
> and dfsg-2 to see if the answer for my broken shares would be 
> revealed.  While similar, I haven't seen the exact same problem, so 
> this may be an anomaly.
>
> Following is the history.
>
> Debian bullseye 64-bit with 4.17.3+dfsg-1 from backports -- no 
> problems, and the shares keep working.  It sounds like that is to be 
> expected.
>
> Debian bookworm 32-bit with 4.17.3+dfsg-1 -- all shares inaccessible, 
> but were restored by dfsg-2.  Again, that seems to be expected.
>
> Debian bookworm 64-bit with 4.17.3+dfsg-1 -- all shares inaccessible 
> and _not_ restored by dfsg-2.  This, I did not expect.  A simple kinit 
> on this system succeeds, however "net ads testjoin" results in the 
> error message below, while telling me the join is good.
>
>> gse_get_client_auth_token: gss_init_sec_context failed with [ 
>> Miscellaneous failure (see text): FAST fast response is missing 
>> FX-FAST (ldap/dc1.domain.realm.tld at DOMAIN.REALM.TLD)](2529639059)
>> ads_sasl_spnego_bind: kinit succeeded but SPNEGO bind with Kerberos 
>> failed for ldap/dc1.domain.realm.tld - user[AM1100$], 
>> realm[DOMAIN.REALM.TLD]: The attempted logon is invalid. This is 
>> either due to a bad username or authentication information.
>> Join is OK
>
> Because of this weirdness, out of an abundance of caution, I have not 
> updated the bullseye 64-bit system, as that is where the most 
> important shares are located.
>
> Has anyone seen this error before?
>
> Thanks,
> Dale
>
>

More information about the samba mailing list