[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab
banda bassotti
bandabasotti at gmail.com
Tue Nov 5 11:06:20 UTC 2019
Luis, thank you very much, I followed the procedure step by step (which I
had already done) but unfortunately I always have the same error:
[2019/11/05 11:49:47.748159, 1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
please pay attention to (kvno 113) the problem is here and not the keytab
file.
klist -ke /etc/krb5.keyatb
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
to temporary solve this problem I must extract the keytab of the oldsamba
from the domain controller and import with ktutil:
# ktutil
ktutil: rkt oldsamba.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 112 cifs/oldsamba at DOM.CORP
2 112 cifs/oldsamba at DOM.CORP
3 112 cifs/oldsamba at DOM.CORP
4 113 cifs/oldsamba at DOM.CORP
5 113 cifs/oldsamba at DOM.CORP
6 113 cifs/oldsamba at DOM.CORP
please note the kvno column.
Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl>
ha scritto:
> Hai,
>
> I've re-read you thread, and there are a few things going-on..
> I suggest you do the following..
>
> Change these.
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = DOM.CORP
> dns_lookup_kdc = true
> dns_lookup_realm = false
> forwardable = true
> proxiable = true
> kdc_timesync = 1
> debug = false
>
>
> /etc/samba/smb.conf
> [Global]
> workgroup = WG1
> realm = DOM.CORP
> # Netbios names in CAPS, see..
> #
> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
> #
> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
> # Verify in DNS the following, A - PTR records for netbios name, setup
> CNAME for all alias-names,
> # point CNAME to the A record if which the PTR also exists..
> netbios name = FS-A
> netbios aliases = OLDSAMBA
> security = ADS
> #
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
>
> ON THIS MEMBER... ( you dont run : samba-tool spn list ..... )
> You run : net ads keytab
>
> cp /etc/krb5.keytab{,.backup}
> kinit Administrator
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
>
> Verify this keytab.
> klist -ke /etc/krb5.keytab2
>
> You want to see :
> host/NETBIOSNAME at DOM.CORP ( x5 )
> host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
> NETBIOSNAME$@DOM.CORP ( x5 )
>
> This you see these.. Then run this to add the cifs keytab.
>
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
> cifs/fs-a.yourdns.domain.tld
> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
>
> Verify the keytab file again.
> klist -ke /etc/krb5.keytab2
>
> If it all looks good.
>
> Stop all samba service
> rm /etc/krb5.keytab .. ( a backupfile is made if you followed above )
> mv /etc/krb5.keytab2 /etc/krb5.keytab
>
>
> That "should" do the trick..
>
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > banda bassotti via samba
> > Verzonden: dinsdag 5 november 2019 9:49
> > Aan: Rowland penny
> > CC: sambalist
> > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> > (kvno 109) in keytab
> >
> > hi, nothing to do, despite having set winbind not to change
> > the machine
> > password the behavior is the same. I do not know what to do.
> > other ideas?
> >
> > thnx.
> >
> > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti <
> > bandabasotti at gmail.com> ha scritto:
> >
> > > Hi, the problem seems to be related to this bug:
> > >
> > > https://bugzilla.samba.org/show_bug.cgi?id=6750
> > >
> > > I try therefore to set
> > >
> > > machine password timeout = 0
> > >
> > >
> > >
> > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba <
> > > samba at lists.samba.org> ha scritto:
> > >
> > >> On 29/10/2019 10:04, banda bassotti wrote:
> > >> > I had already done it:
> > >> >
> > >> > # samba-tool spn list newsamba\$
> > >> > newsamba$
> > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
> > >> > servicePrincipalName:
> > >> > HOST/NEWSAMBA
> > >> > HOST/newsamba.domain.corp
> > >> > cifs/oldsamba at DOMAIN.CORP
> > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP
> > >>
> > >> From your log fragment, it appears to be looking for
> > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will
> > probably have to
> > >> remove the lowercase version SPN and replace it with the uppercase
> > >> version.
> > >>
> > >> Rowland
> > >>
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba
> > >>
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
More information about the samba
mailing list