samba - Jan 2017 - SOLVED(aproximative?): Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)

Samba - General mailing list wrote
>> [2017/01/11 16:42:34.522067,  1]
>> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>>   gss_accept_sec_context failed with [ Miscellaneous failure (see
text):
>> Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) in
keytab
>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> [2017/01/11 16:42:34.522095,  1]
>> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>>   SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> 
> Looks like: https://bugzilla.samba.org/show_bug.cgi?id=12262
Thank you Mark

but it doesn't feels the same to me...

In subsequent tests I wasn't able any more even to join. The first time was
a lucky one, woodoo.

I discovered, that the generated smb.conf was not enough for an AD-DC.

Despite having:

server role = active directory domain controller

... the default settings for:

domain logons = no (?)
domain master = auto (aka equally NO)
local master = yes

(not specifically mentioned in the generated smb.config)

... where enough for Windows7 and Windows8 (?), but not for Windows XP

After setting 

domain master = YES 

... I could join the WindowsXP and login.

I also added then (to be sure ;) domain logons = YES.

This seems now to work. I'll test tomorrow joins with another clients.

What remains, is the question, why a "server role = active directory domain
controller" doesn't enable "domain logons" by default?

Regards

rawi




--
View this message in context:
http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713527.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Mon, 16 Jan 2017 09:07:35 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:
> Samba - General mailing list wrote
> >> [2017/01/11 16:42:34.522067,  1]
> >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
> >>   gss_accept_sec_context failed with [ Miscellaneous failure (see
> >> text): Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno
1)
> >> in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >> [2017/01/11 16:42:34.522095,  1]
> >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
> >>   SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > 
> > Looks like: https://bugzilla.samba.org/show_bug.cgi?id=12262
> 
> Thank you Mark
> 
> but it doesn't feels the same to me...
> 
> In subsequent tests I wasn't able any more even to join. The first
> time was a lucky one, woodoo.
> 
> I discovered, that the generated smb.conf was not enough for an AD-DC.
> 
> Despite having:
> 
> server role = active directory domain controller
> 
> ... the default settings for:
> 
> domain logons = no (?)
> domain master = auto (aka equally NO)
> local master = yes
> 
> (not specifically mentioned in the generated smb.config)
> 
> ... where enough for Windows7 and Windows8 (?), but not for Windows XP
> 
> After setting 
> 
> domain master = YES 
> 
> ... I could join the WindowsXP and login.
> 
> I also added then (to be sure ;) domain logons = YES.
> 
> This seems now to work. I'll test tomorrow joins with another clients.
> 
> What remains, is the question, why a "server role = active directory
> domain controller" doesn't enable "domain logons" by
default?
> 
> Regards
> 
> rawi
> 

Can we see your smb.conf, the default for 'domain master' is auto and I
have never had to change it.

Rowland

Hello,

Am 16.01.2017 um 18:07 schrieb rawi via samba:
> I discovered, that the generated smb.conf was not enough for an AD-DC.
> 
> Despite having:
> 
> server role = active directory domain controller
> 
> ... the default settings for:
> 
> domain logons = no (?)
> domain master = auto (aka equally NO)
> local master = yes
> 
> (not specifically mentioned in the generated smb.config)
> 
> ... where enough for Windows7 and Windows8 (?), but not for Windows XP
> 
> After setting 
> 
> domain master = YES 
> 
> ... I could join the WindowsXP and login.
> 
> I also added then (to be sure ;) domain logons = YES.
> 
> This seems now to work. I'll test tomorrow joins with another clients.
> 
> What remains, is the question, why a "server role = active directory
domain
> controller" doesn't enable "domain logons" by default?
I cannot confirm this. I never had these settings in smb.conf files on
my DCs and XP clients ran successfully.


Additionally, the "domain logons" parameter was for Win9x clients and
the default is "off" since a very long time, not just on AD DCs. See
the
smb.conf man page:
> domain logons (G)
>
> If set to yes, the Samba server will provide the netlogon service for
> Windows 9X network logons for the workgroup it is in. This will also
> cause the Samba server to act as a domain controller for NT4 style
> domain services. For more details on setting up this feature see the
> Domain Control chapter of the Samba HOWTO Collection.
>
> Default: domain logons = no
I'm a bit afraid what happens if you enable this on a Samba DC.
Let us know what it breaks. ;-)



Regards,
Marc

Samba - General mailing list wrote
> On Mon, 16 Jan 2017 09:07:35 -0800 (PST)
> rawi via samba <
> samba at .samba
> > wrote:
> 
>> Samba - General mailing list wrote
>> >> [2017/01/11 16:42:34.522067,  1]
>> >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>> >>   gss_accept_sec_context failed with [ Miscellaneous failure
(see
>> >> text): Failed to find cifs/hg004.humgen.0zone at
HUMGEN.0ZONE(kvno 1)
>> >> in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> >> [2017/01/11 16:42:34.522095,  1]
>> >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>> >>   SPNEGO(gse_krb5) NEG_TOKEN_INIT failed:
NT_STATUS_LOGON_FAILURE
>> > 
>> > Looks like: https://bugzilla.samba.org/show_bug.cgi?id=12262
>> 
>> Thank you Mark
>> 
>> but it doesn't feels the same to me...
>> 
>> In subsequent tests I wasn't able any more even to join. The first
>> time was a lucky one, woodoo.
>> 
>> I discovered, that the generated smb.conf was not enough for an AD-DC.
>> 
>> Despite having:
>> 
>> server role = active directory domain controller
>> 
>> ... the default settings for:
>> 
>> domain logons = no (?)
>> domain master = auto (aka equally NO)
>> local master = yes
>> 
>> (not specifically mentioned in the generated smb.config)
>> 
>> ... where enough for Windows7 and Windows8 (?), but not for Windows XP
>> 
>> After setting 
>> 
>> domain master = YES 
>> 
>> ... I could join the WindowsXP and login.
>> 
>> I also added then (to be sure ;) domain logons = YES.
>> 
>> This seems now to work. I'll test tomorrow joins with another
clients.
>> 
>> What remains, is the question, why a "server role = active
directory
>> domain controller" doesn't enable "domain logons" by
default?
>> 
>> Regards
>> 
>> rawi
>> 
> 
> 
> Can we see your smb.conf, the default for 'domain master' is auto
and I
> have never had to change it.
> 
> Rowland
Rowland, thank you

Please note the comments starting with two '#'. They give info about
erroneous behavior I encontered.

The manual says that "domain master = auto" means "NO", if
"domain logons NO" and this is default.
Please note also the behavior of "hosts allow ... except" on the AD-DC

here it comes...

root at hg-dc1:/etc/samba# cat smb.conf
## Global parameters
[global]
        workgroup = HUMGEN
        realm = HUMGEN.0ZONE
        netbios name = HG-DC1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc
#dnsupdate
## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone
## and contains all I have, inclusive printer and lab devices, which are not
in the domain
## all dns tests are positive and all clients get DNS

        idmap_ldb:use rfc2307 = yes
        dns-nameservers 127.0.0.1

        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   = 

## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
## even if I've already set the IP of the wins server to the AD-DC in
numerical form
## Error is, that no SRV record could be found for the domain. BUT nslookup
shows manually all needed
## After the join, WindowsXP seems to stay joined and allow further login 
## EVEN if I take these configs back
#domain logons = yes
#domain master = yes
#local master = yes

## hosts allow on AD-DC breaks everything. 
## No more wbinfo on the DC, no more id or getent passwd on the domain
member
## BUG?
#hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123

## don't show the shares
browseable = no

map to guest = never

## allow no local caching of data on the client
csc policy = disable

hide unreadable = yes
hide dot files = no

## new session kills possible old connection from the same IP. Avoids lock
on files by old connections
reset on zero vc = yes

[netlogon]
        path = /var/lib/samba/sysvol/humgen.0zone/scripts
        read only = Yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

<<<<< smb.conf AD-DC END

And now as a side note and deja vu for me, look what I wrote in the old
smb.conf (still working since 2009) for a NT-domain wth Samba/smbd version
3.4.0 :)

## samba accepts no new computer in the domain if this
## browse options equals NO ?!
preferred master = yes
local master = yes
domain master = yes

Regards
rawi



--
View this message in context:
http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713549.html
Sent from the Samba - General mailing list archive at Nabble.com.

Samba - General mailing list wrote
> Hello,
> 
> Am 16.01.2017 um 18:07 schrieb rawi via samba:
>> I discovered, that the generated smb.conf was not enough for an AD-DC.
>> 
>> Despite having:
>> 
>> server role = active directory domain controller
>> 
>> ... the default settings for:
>> 
>> domain logons = no (?)
>> domain master = auto (aka equally NO)
>> local master = yes
>> 
>> (not specifically mentioned in the generated smb.config)
>> 
>> ... where enough for Windows7 and Windows8 (?), but not for Windows XP
>> 
>> After setting 
>> 
>> domain master = YES 
>> 
>> ... I could join the WindowsXP and login.
>> 
>> I also added then (to be sure ;) domain logons = YES.
>> 
>> This seems now to work. I'll test tomorrow joins with another
clients.
>> 
>> What remains, is the question, why a "server role = active
directory
>> domain
>> controller" doesn't enable "domain logons" by
default?
> 
> I cannot confirm this. I never had these settings in smb.conf files on
> my DCs and XP clients ran successfully.
> 
> 
> Additionally, the "domain logons" parameter was for Win9x clients
and
> the default is "off" since a very long time, not just on AD DCs.
See the
> smb.conf man page:
>> domain logons (G)
>>
>> If set to yes, the Samba server will provide the netlogon service for
>> Windows 9X network logons for the workgroup it is in. This will also
>> cause the Samba server to act as a domain controller for NT4 style
>> domain services. For more details on setting up this feature see the
>> Domain Control chapter of the Samba HOWTO Collection.
>>
>> Default: domain logons = no
> 
> I'm a bit afraid what happens if you enable this on a Samba DC.
> Let us know what it breaks. ;-)
> 
> Regards,
> Marc
Well, Mark

... your last sentence haunted me the whole night ;)

Please see also my answer to Rowland

IF something breaks... that's me and the only open source guy in this
institute.

I'm an old stubborn admin here since 13 years, alone. The youth and the
research wants only the job quickly done, no matter with which tools.

So, that's me breaking, if things are going awry... I hope not...

Regards

rawi




--
View this message in context:
http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713550.html
Sent from the Samba - General mailing list archive at Nabble.com.