samba - Jan 2017 - SOLVED(aproximative?): Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)

Samba - General mailing list wrote
> On Mon, 16 Jan 2017 09:07:35 -0800 (PST)
> rawi via samba <
> samba at .samba
> > wrote:
> 
>> Samba - General mailing list wrote
>> >> [2017/01/11 16:42:34.522067,  1]
>> >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>> >>   gss_accept_sec_context failed with [ Miscellaneous failure
(see
>> >> text): Failed to find cifs/hg004.humgen.0zone at
HUMGEN.0ZONE(kvno 1)
>> >> in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>> >> [2017/01/11 16:42:34.522095,  1]
>> >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>> >>   SPNEGO(gse_krb5) NEG_TOKEN_INIT failed:
NT_STATUS_LOGON_FAILURE
>> > 
>> > Looks like: https://bugzilla.samba.org/show_bug.cgi?id=12262
>> 
>> Thank you Mark
>> 
>> but it doesn't feels the same to me...
>> 
>> In subsequent tests I wasn't able any more even to join. The first
>> time was a lucky one, woodoo.
>> 
>> I discovered, that the generated smb.conf was not enough for an AD-DC.
>> 
>> Despite having:
>> 
>> server role = active directory domain controller
>> 
>> ... the default settings for:
>> 
>> domain logons = no (?)
>> domain master = auto (aka equally NO)
>> local master = yes
>> 
>> (not specifically mentioned in the generated smb.config)
>> 
>> ... where enough for Windows7 and Windows8 (?), but not for Windows XP
>> 
>> After setting 
>> 
>> domain master = YES 
>> 
>> ... I could join the WindowsXP and login.
>> 
>> I also added then (to be sure ;) domain logons = YES.
>> 
>> This seems now to work. I'll test tomorrow joins with another
clients.
>> 
>> What remains, is the question, why a "server role = active
directory
>> domain controller" doesn't enable "domain logons" by
default?
>> 
>> Regards
>> 
>> rawi
>> 
> 
> 
> Can we see your smb.conf, the default for 'domain master' is auto
and I
> have never had to change it.
> 
> Rowland
Rowland, thank you

Please note the comments starting with two '#'. They give info about
erroneous behavior I encontered.

The manual says that "domain master = auto" means "NO", if
"domain logons NO" and this is default.
Please note also the behavior of "hosts allow ... except" on the AD-DC

here it comes...

root at hg-dc1:/etc/samba# cat smb.conf
## Global parameters
[global]
        workgroup = HUMGEN
        realm = HUMGEN.0ZONE
        netbios name = HG-DC1
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc
#dnsupdate
## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone
## and contains all I have, inclusive printer and lab devices, which are not
in the domain
## all dns tests are positive and all clients get DNS

        idmap_ldb:use rfc2307 = yes
        dns-nameservers 127.0.0.1

        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   = 

## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
## even if I've already set the IP of the wins server to the AD-DC in
numerical form
## Error is, that no SRV record could be found for the domain. BUT nslookup
shows manually all needed
## After the join, WindowsXP seems to stay joined and allow further login 
## EVEN if I take these configs back
#domain logons = yes
#domain master = yes
#local master = yes

## hosts allow on AD-DC breaks everything. 
## No more wbinfo on the DC, no more id or getent passwd on the domain
member
## BUG?
#hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123

## don't show the shares
browseable = no

map to guest = never

## allow no local caching of data on the client
csc policy = disable

hide unreadable = yes
hide dot files = no

## new session kills possible old connection from the same IP. Avoids lock
on files by old connections
reset on zero vc = yes

[netlogon]
        path = /var/lib/samba/sysvol/humgen.0zone/scripts
        read only = Yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

<<<<< smb.conf AD-DC END

And now as a side note and deja vu for me, look what I wrote in the old
smb.conf (still working since 2009) for a NT-domain wth Samba/smbd version
3.4.0 :)

## samba accepts no new computer in the domain if this
## browse options equals NO ?!
preferred master = yes
local master = yes
domain master = yes

Regards
rawi



--
View this message in context:
http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713549.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Tue, 17 Jan 2017 03:03:28 -0800 (PST)
rawi via samba <samba at lists.samba.org> wrote:
> Samba - General mailing list wrote
> 
> Rowland, thank you
> 
> Please note the comments starting with two '#'. They give info
about
> erroneous behavior I encontered.
> 
> The manual says that "domain master = auto" means "NO",
if "domain
> logons = NO" and this is default.
> Please note also the behavior of "hosts allow ... except" on the
AD-DC
> 
> here it comes...
> 
> root at hg-dc1:/etc/samba# cat smb.conf
> ## Global parameters
> [global]
>         workgroup = HUMGEN
>         realm = HUMGEN.0ZONE
>         netbios name = HG-DC1
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc
> #dnsupdate
> ## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone
> ## and contains all I have, inclusive printer and lab devices, which
> are not in the domain
> ## all dns tests are positive and all clients get DNS
> 
>         idmap_ldb:use rfc2307 = yes
>         dns-nameservers 127.0.0.1
> 
>         tls enabled  = yes
>         tls keyfile  = tls/myKey.pem
>         tls certfile = tls/myCert.pem
>         tls cafile   = 
> 
> ## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
> ## even if I've already set the IP of the wins server to the AD-DC in
> numerical form
> ## Error is, that no SRV record could be found for the domain. BUT
> nslookup shows manually all needed
> ## After the join, WindowsXP seems to stay joined and allow further
> login ## EVEN if I take these configs back
> #domain logons = yes
> #domain master = yes
> #local master = yes
> 
> ## hosts allow on AD-DC breaks everything. 
> ## No more wbinfo on the DC, no more id or getent passwd on the domain
> member
> ## BUG?
> #hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123
> 
> ## don't show the shares
> browseable = no
> 
> map to guest = never
> 
> ## allow no local caching of data on the client
> csc policy = disable
> 
> hide unreadable = yes
> hide dot files = no
> 
> ## new session kills possible old connection from the same IP. Avoids
> lock on files by old connections
> reset on zero vc = yes
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/humgen.0zone/scripts
>         read only = Yes
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> <<<<< smb.conf AD-DC END
> 
> And now as a side note and deja vu for me, look what I wrote in the
> old smb.conf (still working since 2009) for a NT-domain wth
> Samba/smbd version 3.4.0 :)
> 
> ## samba accepts no new computer in the domain if this
> ## browse options equals NO ?!
> preferred master = yes
> local master = yes
> domain master = yes
> 
> Regards
> rawi
OK, first question, are you using BIND9_DLZ on the DC ?

Rowland

Samba - General mailing list wrote
> On Tue, 17 Jan 2017 03:03:28 -0800 (PST)
> rawi via samba <
> samba at .samba
> > wrote:
> 
>> Samba - General mailing list wrote
>> 
>> Rowland, thank you
>> 
>> Please note the comments starting with two '#'. They give info
about
>> erroneous behavior I encontered.
>> 
>> The manual says that "domain master = auto" means
"NO", if "domain
>> logons = NO" and this is default.
>> Please note also the behavior of "hosts allow ... except" on
the AD-DC
>> 
>> here it comes...
>> 
>> root at hg-dc1:/etc/samba# cat smb.conf
>> ## Global parameters
>> [global]
>>         workgroup = HUMGEN
>>         realm = HUMGEN.0ZONE
>>         netbios name = HG-DC1
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc
>> #dnsupdate
>> ## all dns and dhcp is static for humgen.0zone and _msdcs.humgen.0zone
>> ## and contains all I have, inclusive printer and lab devices, which
>> are not in the domain
>> ## all dns tests are positive and all clients get DNS
>> 
>>         idmap_ldb:use rfc2307 = yes
>>         dns-nameservers 127.0.0.1
>> 
>>         tls enabled  = yes
>>         tls keyfile  = tls/myKey.pem
>>         tls certfile = tls/myCert.pem
>>         tls cafile   = 
>> 
>> ## WITHOUT THIS no old WindowsXP will find the AD-DC to join, 
>> ## even if I've already set the IP of the wins server to the AD-DC
in
>> numerical form
>> ## Error is, that no SRV record could be found for the domain. BUT
>> nslookup shows manually all needed
>> ## After the join, WindowsXP seems to stay joined and allow further
>> login ## EVEN if I take these configs back
>> #domain logons = yes
>> #domain master = yes
>> #local master = yes
>> 
>> ## hosts allow on AD-DC breaks everything. 
>> ## No more wbinfo on the DC, no more id or getent passwd on the domain
>> member
>> ## BUG?
>> #hosts allow = X.Y.Z.0/255.255.255.0 localhost EXCEPT X.Y.Z.123
>> 
>> ## don't show the shares
>> browseable = no
>> 
>> map to guest = never
>> 
>> ## allow no local caching of data on the client
>> csc policy = disable
>> 
>> hide unreadable = yes
>> hide dot files = no
>> 
>> ## new session kills possible old connection from the same IP. Avoids
>> lock on files by old connections
>> reset on zero vc = yes
>> 
>> [netlogon]
>>         path = /var/lib/samba/sysvol/humgen.0zone/scripts
>>         read only = Yes
>> 
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>> 
>> <<<<< smb.conf AD-DC END
>> 
>> And now as a side note and deja vu for me, look what I wrote in the
>> old smb.conf (still working since 2009) for a NT-domain wth
>> Samba/smbd version 3.4.0 :)
>> 
>> ## samba accepts no new computer in the domain if this
>> ## browse options equals NO ?!
>> preferred master = yes
>> local master = yes
>> domain master = yes
>> 
>> Regards
>> rawi
> 
> OK, first question, are you using BIND9_DLZ on the DC ?
> 
> Rowland
NO BIND9_DLZ, no dns updates.

As mentioned (commented) in the confiig: all dns comes from bind9 from
static zones containing all I have and supplementary all records samba AD-DC
would need (SOA for _msdcs and it's objects etc.).

The newer Windows Versions (7 and 8.1) are doing perfectly.

rawi



--
View this message in context:
http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713552.html
Sent from the Samba - General mailing list archive at Nabble.com.