samba - Apr 2018 - samba4 ticket server cifs/ not found in keytab

example is sanitized as required

the samba host is a member of AD.INTERNALTWO.COM

when accessing from a client member of AD.INTERNALONE it is appending 
@AD.INTERNALONE to the SPN request(??) and I get the error in 
smbd.<client ip>
2018/04/25 17:11:58.506095,  1] 
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
   gss_accept_sec_context failed with [Unspecified GSS failure.  Minor 
code may provide more information: Request ticket server 
cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket 
kvno 3)]


i tried "ignore_acceptor_hostname = true" in krb5.conf, but it has no 
effect


workarounds:
if i access the samba host by IP address or nas1dev.AD.INTERNALTWO.COM 
it works
access from a linux host using the nas1dev.external.com name works



any suggestions?




smb.conf excerpt:
[global]
         workgroup = INTERNALTWO
         realm = AD.INTERNALTWO.COM
         netbios name = nas1dev-rhel7
         server string = nas1dev-rhel7
         security = ADS
         kerberos method = secrets and keytab
         dedicated keytab file = /etc/krb5.keytab
         winbind refresh tickets = yes
         log file = /var/log/samba/smbd.%m
         max log size = 500
         min protocol = SMB2
         min protocol = NT1
         lanman auth = No
         load printers = No
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
         domain master = No
         winbind enum users = Yes
         #winbind use default domain = Yes
         winbind expand groups = 5
         #winbind normalize names = no
         idmap config * : range = 1000000-1999999
         idmap config * : backend = tdb
         idmap config INTERNALTWO range = 1000000-1999999
         idmap config INTERNALTWO : backend = ads
         idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
         idmap config NAS1DEV-RHEL7 : backend = tdb
         log level = 1 auth:3 smb:3 winbind:5
         ldapsam:trusted = yes
         restrict anonymous = 2
         create mask = 0770
         force create mode = 0770
         #obs #security mask = 0000
         #obs #force security mode = 0770
         directory mask = 2770
         force directory mode = 2770
         #obs #directory security mask = 0000
         #obs #force directory security mode = 2770
         hide special files = Yes
         hide unreadable = Yes
         veto files = /*.eml/*.nws/riched20.dll/*.{*}/
         writeable = yes
         #ldap ssl = start tls
         #ldap ssl ads = yes
         wins server = 192.192.192.99

Hai, 
>From your smb. 
>          realm = AD.INTERNALTWO.COM
>          netbios name = nas1dev-rhel7
>          server string = nas1dev-rhel7
Is i expect cifs/nas1dev-rhel7.ad.yourPrimaryDomain.tld at AD.INTERNALTWO.COM
Check you hosts file and resolve.conf 

Like in what is the output of : 
hostname -I and hostname -A


For cifs kerberos tickets, add in krb5.conf the following lines. 

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

That might help, then try again, you might need to restart the server first. 

And this is wrong.
         idmap config * : range = 1000000-1999999
         idmap config * : backend = tdb
         idmap config INTERNALTWO range = 1000000-1999999
         idmap config INTERNALTWO : backend = ads
         idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
         idmap config NAS1DEV-RHEL7 : backend = tdb

These range may not overlap. 
Review your setup smb.conf base on : 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 


Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> listmail via samba
> Verzonden: donderdag 26 april 2018 15:11
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] samba4 ticket server cifs/ not found in keytab
> 
> example is sanitized as required
> 
> the samba host is a member of AD.INTERNALTWO.COM
> 
> when accessing from a client member of AD.INTERNALONE it is appending 
> @AD.INTERNALONE to the SPN request(??) and I get the error in 
> smbd.<client ip>
> 2018/04/25 17:11:58.506095,  1] 
> ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [Unspecified GSS 
> failure.  Minor 
> code may provide more information: Request ticket server 
> cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket 
> kvno 3)]
> 
> 
> i tried "ignore_acceptor_hostname = true" in krb5.conf, but it
has no
> effect
> 
> 
> workarounds:
> if i access the samba host by IP address or 
> nas1dev.AD.INTERNALTWO.COM 
> it works
> access from a linux host using the nas1dev.external.com name works
> 
> 
> 
> any suggestions?
> 
> 
> 
> 
> smb.conf excerpt:
> [global]
>          workgroup = INTERNALTWO
>          realm = AD.INTERNALTWO.COM
>          netbios name = nas1dev-rhel7
>          server string = nas1dev-rhel7
>          security = ADS
>          kerberos method = secrets and keytab
>          dedicated keytab file = /etc/krb5.keytab
>          winbind refresh tickets = yes
>          log file = /var/log/samba/smbd.%m
>          max log size = 500
>          min protocol = SMB2
>          min protocol = NT1
>          lanman auth = No
>          load printers = No
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>          domain master = No
>          winbind enum users = Yes
>          #winbind use default domain = Yes
>          winbind expand groups = 5
>          #winbind normalize names = no
>          idmap config * : range = 1000000-1999999
>          idmap config * : backend = tdb
>          idmap config INTERNALTWO range = 1000000-1999999
>          idmap config INTERNALTWO : backend = ads
>          idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
>          idmap config NAS1DEV-RHEL7 : backend = tdb
>          log level = 1 auth:3 smb:3 winbind:5
>          ldapsam:trusted = yes
>          restrict anonymous = 2
>          create mask = 0770
>          force create mode = 0770
>          #obs #security mask = 0000
>          #obs #force security mode = 0770
>          directory mask = 2770
>          force directory mode = 2770
>          #obs #directory security mask = 0000
>          #obs #force directory security mode = 2770
>          hide special files = Yes
>          hide unreadable = Yes
>          veto files = /*.eml/*.nws/riched20.dll/*.{*}/
>          writeable = yes
>          #ldap ssl = start tls
>          #ldap ssl ads = yes
>          wins server = 192.192.192.99
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Thu, 26 Apr 2018 09:10:40 -0400
listmail via samba <samba at lists.samba.org> wrote:
> example is sanitized as required
> 
> the samba host is a member of AD.INTERNALTWO.COM
> 
> when accessing from a client member of AD.INTERNALONE it is appending 
> @AD.INTERNALONE to the SPN request(??) and I get the error in 
> smbd.<client ip>
> 2018/04/25 17:11:58.506095,  1] 
> ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [Unspecified GSS failure.
> Minor code may provide more information: Request ticket server 
> cifs/nas1dev.external.com at AD.INTERNALONE not found in keytab (ticket 
> kvno 3)]
> 
> 
> smb.conf excerpt:
> [global]
>          idmap config * : range = 1000000-1999999
>          idmap config * : backend = tdb
>          idmap config INTERNALTWO range = 1000000-1999999
>          idmap config INTERNALTWO : backend = ads
>          idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
>          idmap config NAS1DEV-RHEL7 : backend = tdb
The ranges should not overlap, yours are identical, there is no winbind
'ads' backend, it is 'ad' and requires uidNumber & gidNumber
attributes in AD, you will probably better off using the 'rid' backend
for 'NAS1DEV-RHEL7'

I think you need to read this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 
>          ldapsam:trusted = yes
The above is only required on an ldap client, yours isn't an ldap
client.
 
>          wins server = 192.192.192.99
You don't need wins, this is AD.
 
Finally, the error message is telling you that 'nas1dev.external.com'
needs an SPN and this also needs to be in /etc/krb5.keytab

Rowland

On 2018-04-26 09:48, L.P.H. van Belle via samba wrote:
> Hai,
> 
>> From your smb.
>>          realm = AD.INTERNALTWO.COM
>>          netbios name = nas1dev-rhel7
>>          server string = nas1dev-rhel7
> 
> Is i expect 
> cifs/nas1dev-rhel7.ad.yourPrimaryDomain.tld at AD.INTERNALTWO.COM
> Check you hosts file and resolve.conf
> 
> Like in what is the output of :
> hostname -I and hostname -A
> 
the AD.INTERNALONE.COM is appended somehow when accessing 
AD.INTERNALTWO.COM from the AD.INTERNALONE.COM domain -- then CIFS 
ticket error occurs.  the actual hostname of the samba server is 
nas1dev-rhel7.
> 
> For cifs kerberos tickets, add in krb5.conf the following lines.
> 
>     default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
> des-cbc-crc des-cbc-md5
>     permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> 
> That might help, then try again, you might need to restart the server 
> first.
> 
> And this is wrong.
>          idmap config * : range = 1000000-1999999
>          idmap config * : backend = tdb
>          idmap config INTERNALTWO range = 1000000-1999999
>          idmap config INTERNALTWO : backend = ads
>          idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
>          idmap config NAS1DEV-RHEL7 : backend = tdb
> 
> These range may not overlap.
> Review your setup smb.conf base on :
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>

On 2018-04-26 09:59, Rowland Penny via samba wrote:
> I think you need to read this wiki page:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I wont argue you that, I inherited this config and only know enough 
about samba to be dangerous ;)

> Finally, the error message is telling you that
'nas1dev.external.com'
> needs an SPN and this also needs to be in /etc/krb5.keytab
> 
What I want to understand it why I need this SPN when accessing this 
host from windows client in another domain, but when I access from IP or 
from Linux to DNS this isn't an issue.  Also I am not sure how i add a 
SPN for a domain it is not a member of (in this case AD.INTERNALONE).  
He is a member of AD.INTERNALTWO.

Thanks for the feedback

- Richie

> On 2018-04-26 09:48, L.P.H. van Belle via samba wrote:
> > Hai,
> > 
> >> From your smb.
> >>          realm = AD.INTERNALTWO.COM
> >>          netbios name = nas1dev-rhel7
> >>          server string = nas1dev-rhel7
> > 
> > Is i expect 
> > cifs/nas1dev-rhel7.ad.yourPrimaryDomain.tld at AD.INTERNALTWO.COM
> > Check you hosts file and resolve.conf
> > 
> > Like in what is the output of :
> > hostname -I and hostname -A
> > 
> the AD.INTERNALONE.COM is appended somehow when accessing 
> AD.INTERNALTWO.COM from the AD.INTERNALONE.COM domain -- then CIFS 
> ticket error occurs.  the actual hostname of the samba server is 
> nas1dev-rhel7.
The actual hostname is the output of hostname -s
The primary dns domain is the output of hostname -d 
The hostname you should use, is the output of hostname -f 
Your kerberos domain is != hostname -d 

hostname -A and hostname -I  shows all ipadress and hostname/aliasses. 

The resolving order matters a lot in resolv.conf 

And your krb5.conf has problely something like this. 
[libdefaults]
    default_realm = AD.INTERNALONE.COM

Thats where the kerberos domain is ( the added part ) is comming from. 

But! I dont know lot about RH/Centos, so correct me here if im wrong here.


Greetz, 

Louis