[Samba] samba 4.13.17 ubuntu 20.04

Marco Querci mquerci75 at gmail.com
Thu Jan 26 08:01:18 UTC 2023 

Hi Rowland,

thanks for the reply.

>I think this might be a dns problem. From your smb.conf, the DC's
>hostname is 'AD5' yet the error message is referring to a 'server'
>called 'COR-WIN10'
yes, that's the strange thing: the AD server is AD5, COR-WIN10 is the
client I'm trying to login with!

> Where did '[netlogon]' go and why do you have a share for GPO's ?
[netlogon] doesn't exist and GPO share is a share for the software to be
installed via GPO ... nothing to do with GPO themself (the name is
confusing).

The DNS seems ok:
sysadm at ad5:~$ host acme.lan
acme.lan has address 192.168.10.26
acme.lan has address 192.168.10.27

sysadm at ad5:~$ host -t SRV _kerberos._udp.acme.lan
_kerberos._udp.acme.lan has SRV record 0 100 88 ad5.acme.lan.
_kerberos._udp.acme.lan has SRV record 0 100 88 ad6.acme.lan.

sysadm at ad5:~$ host -t SRV _ldap._tcp.acme.lan
_ldap._tcp.acme.lan has SRV record 0 100 389 ad5.acme.lan.
_ldap._tcp.acme.lan has SRV record 0 100 389 ad6.acme.lan.

sysadm at ad5:~$ nslookup cor-win10
Server: 192.168.10.26
Address: 192.168.10.26#53

Name: cor-win10.acme.lan
Address: 192.168.10.102


Thanks.




On Thu, Jan 26, 2023 at 8:51 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

>
>
> On 26/01/2023 07:20, Marco Querci via samba wrote:
> > Hi everyone,
> >
> > I'm posting here because I'm facing a kerberos authentication problem
> after
> > the 2:4.13.17~dfsg-0ubuntu1.20.04.4 samba upgrade.
> > The clients, win10, win11, win2016 cannot login to AD anymore.
> > On server logs the authentication succeeded but in the Event Viewer on
> the
> > client I have this error:
> >
> > Security-Kerberos
> > The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> > cor-win10$. The target name used was COR-WIN10$.
>
>
> I think this might be a dns problem. From your smb.conf, the DC's
> hostname is 'AD5' yet the error message is referring to a 'server'
> called 'COR-WIN10'
>
> >This indicates that the
> > target server failed to decrypt the ticket provided by the client. This
> can
> > occur when the target server principal name (SPN) is registered on an
> > account other than the account the target service is using. Ensure that
> the
> > target SPN is only registered on the account used by the server. This
> error
> > can also happen if the target service account password is different than
> > what is configured on the Kerberos Key Distribution Center for that
> target
> > service. Ensure that the service on the server and the KDC are both
> > configured to use the same password. If the server name is not fully
> > qualified, and the target domain (ACME.LAN) is different from the client
> > domain (ACME.LAN), check if there are identically named server accounts
> in
> > these two domains, or use the fully-qualified name to identify the
> server.
> >
> > This is my smb.conf:
> > # Global parameters
> > [global]
> > netbios name = AD5
> > realm = ACME.LAN
> > server role = active directory domain controller
> > workgroup = ACME
> > idmap_ldb:use rfc2307 = yes
> > dns forwarder = 8.8.8.8
> >
> > log file = /var/log/samba/log.ad5
> > max log size = 100000
> > log level = 3 passdb:5 auth:5
> >
> > time server = yes
> > #load printers = yes
> >
> > #printing = CUPS
> > #rpc_server:spoolss = external
> > #rpc_daemon:spoolssd = fork
> > #spoolss: architecture = Windows x64
> >
> > host msdfs = yes
> > #vfs object = dfs_samba4
> >
> > disable netbios = yes
> > smb ports = 445
> >
> >
> > [sysvol]
> > comment = SYSVOL share
> >          path = /var/lib/samba/sysvol
> >          read only = no
> >          browseable = no
> >
> > [gpo]
> >          comment = GPO files share
> >          path = /var/lib/samba/sysvol/acme.lan/gpo
> >          read only = no
> >          browseable = no
>
> Where did '[netlogon]' go and why do you have a share for GPO's ?
>
> >
> > I also tried with samba 4.15 on ubuntu 22.04 ... same problem.
> >
> > I don't know what's the problem and how to handle it, maybe some related
> to
> > the latest samba security update together with some configuration in my
> > environment.
> > Can anyone help me in some way?
> >
> > Thanks.
>
> Samba upgraded Heimdal (the kdc) at 4.16.0, which was lucky, later
> versions of win10 upwards need it.
>
> You can find later versions of Samba here:
>
> http://www.corpit.ru/mjt/packages/samba/
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list