I am running samba on arch linux and I cant browse the shares I get
prompted for password over and over.
I see this in my logs
[2016/10/10 17:14:50.128711, 1]
../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/rimfire.hebe.us at HEBE.US(kvno 2) in keytab
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
[2016/10/10 17:14:50.128737, 1]
../auth/gensec/spnego.c:545(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2016/10/10 17:14:50.128766, 2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
[2016/10/10 17:14:50.128804, 3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/10/10 17:14:50.129260, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2016/10/10 17:14:50.133806, 3] ../source3/smbd/oplock.c:1322(init_oplocks)
init_oplocks: initializing messages.
[2016/10/10 17:14:50.133858, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 110 (0 toread)
[2016/10/10 17:14:50.134030, 3]
../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB3_00
[libdefaults]
default_realm = HEBE.US
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
HEBE.US = {
kdc = MAIA.HEBE.US
admin_server = MAIA.HEBE.US
default_domain = HEBE.US
}
[domain_realm]
.hebe.us = HEBE.US
hebe.us = MAIA.HEBE.US
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
[Global]
interfaces = bond0
bind interfaces only = no
netbios name = rimfire
name resolve order = bcast lmhosts host wins
map to guest = bad user
guest account = nobody
hosts allow = 192.168. 127.0.0.1
vfs objects = acl_xattr
map acl inherit = yes
inherit acls = Yes
acl group control = yes
store dos attributes = yes
username map = /etc/samba/user.map
workgroup = HEBE
realm = HEBE.US
server string = %h ArchLinux Host
security = ads
encrypt passwords = yes
password server = maia.hebe.us
idmap config * : backend = rid
idmap config * : range = 10000-20000
strict allocate = yes
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 300
template shell = /bin/bash
template homedir = /homes/%D/%U
preferred master = no
dns proxy = no
wins server = maia.hebe.us
wins proxy = no
local master = no
domain master = no
wins support = no
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
socket options = TCP_NODELAY IPTOS_LOWDELAY
max xmit = 65535
read raw = yes
write raw = yes
On Mon, 10 Oct 2016 17:24:31 -0600 jacek burghardt via samba <samba at lists.samba.org> wrote:> I am running samba on arch linux and I cant browse the shares I get > prompted for password over and over. > I see this in my logs > [2016/10/10 17:14:50.128711, 1] > ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see > text): Failed to find cifs/rimfire.hebe.us at HEBE.US(kvno 2) in keytab > MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] > [2016/10/10 17:14:50.128737, 1] > ../auth/gensec/spnego.c:545(gensec_spnego_parse_negTokenInit) > SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > [2016/10/10 17:14:50.128766, 2] > ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_LOGON_FAILURE > [2016/10/10 17:14:50.128804, 3] > ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_LOGON_FAILURE] || > at ../source3/smbd/smb2_sesssetup.c:134 [2016/10/10 17:14:50.129260, > 3] ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > [2016/10/10 17:14:50.133806, > 3] ../source3/smbd/oplock.c:1322(init_oplocks) init_oplocks: > initializing messages. [2016/10/10 17:14:50.133858, > 3] ../source3/smbd/process.c:1957(process_smb) Transaction 0 of > length 110 (0 toread) [2016/10/10 17:14:50.134030, 3] > ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot) > Selected protocol SMB3_00 > [libdefaults] > default_realm = HEBE.US > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > default_keytab_name = FILE:/etc/krb5.keytab > [realms] > HEBE.US = { > kdc = MAIA.HEBE.US > admin_server = MAIA.HEBE.US > default_domain = HEBE.US > } > > [domain_realm] > .hebe.us = HEBE.US > hebe.us = MAIA.HEBE.US > > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > proxiable = false > retain_after_close = false > minimum_uid = 0 > debug = false > } > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/kdc.log > admin_server = FILE:/var/log/kadmind.log > >Try changing your smb.conf to this: [Global] workgroup = HEBE security = ads realm = HEBE.US dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = %h ArchLinux Host winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 4 winbind refresh tickets = yes winbind offline logon = yes winbind nested groups = Yes winbind separator = + winbind cache time = 300 ## map ids outside of domain to tdb file. idmap config * : backend = tdb idmap config * : range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config HEBE : backend = rid idmap config HEBE : range = 10000-20000 template shell = /bin/bash template homedir = /homes/%D/%U domain master = no local master = no preferred master = no map to guest = bad user username map = /etc/samba/user.map vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes interfaces = bond0 bind interfaces only = no name resolve order = bcast lmhosts host wins hosts allow = 192.168. 127.0.0.1 inherit acls = Yes acl group control = yes strict allocate = yes dns proxy = no wins server = maia.hebe.us inherit acls = Yes map acl inherit = Yes acl group control = yes load printers = no debug level = 3 max xmit = 65535 Also does this SPN exist in AD: cifs/rimfire.hebe.us at HEBE.US Rowland