samba - Sep 2019 - access to share with dns alias hostname

Hello, I'v to migrate one file server (old samba 3) to a new file samba 4,
I thought I could use the parameters netbios aliases = oldsamba but it
doesn't work, trying to access the share, with the old names, the
credentials popup appears and the log show:

  gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/oldsamba3 at lan.corp(kvno 107) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]

unfortunately I have to keep active also the old server for which I thought
I could solve with the dns.

any help?

thnx.

For this to work 

Below shows a A on the old hostname, correct ? 
With the "netbios alias" used in samba. 

Setup like this : 
The new server.. 
hostname => DNS A 
IP	   => DNS PTR
Netbios Alias    => CNAME OLDSERVERNAME

And try again. 
Remove the A/PTR of the old hostname also. 
Only a CNAME is sufficient..

Note, the new server MUST have A and PTR setup. 

optional, set dns proxy = yes in smb.conf



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> banda bassotti via samba
> Verzonden: donderdag 26 september 2019 11:13
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] access to share with dns alias hostname
> 
> Hello, I'v to migrate one file server (old samba 3) to a new 
> file samba 4,
> I thought I could use the parameters netbios aliases = oldsamba but it
> doesn't work, trying to access the share, with the old names, the
> credentials popup appears and the log show:
> 
>   gss_accept_sec_context failed with [ Miscellaneous failure 
> (see text):
> Failed to find cifs/oldsamba3 at lan.corp(kvno 107) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> 
> unfortunately I have to keep active also the old server for 
> which I thought
> I could solve with the dns.
> 
> any help?
> 
> thnx.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 26/09/2019 10:25, L.P.H. van Belle via samba wrote:
> For this to work
>
> Below shows a A on the old hostname, correct ?
> With the "netbios alias" used in samba.
>
> Setup like this :
> The new server..
> hostname => DNS A
> IP	   => DNS PTR
> Netbios Alias    => CNAME OLDSERVERNAME
>
> And try again.
> Remove the A/PTR of the old hostname also.
> Only a CNAME is sufficient..
>
> Note, the new server MUST have A and PTR setup.
Will this work ? what about the kerberos ticket ?
>
> optional, set dns proxy = yes in smb.conf
If unset, that is the default, but it is an 'nmbd' thing and I am not 
sure if 'nbt' on a DC has the required code.

It sounds to me that the OP has classicupgraded an NT4-style domain to 
an AD domain. If so, then unless he has modified the smb.conf, the old 
machine will still be running as a PDC.

I think he needs to give us more info.

Starting with the smb.conf from the new AD DC and the old PDC.

Rowland

>
>
>

On 26/09/2019 11:44, banda bassotti wrote:
> Hi, no it doesn't work:
>
> [2019/09/26 12:06:18.715651, ?1] 
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> ? gss_accept_sec_context failed with [ Miscellaneous failure (see 
> text): Failed to find cifs/oldsamba at lan.corp(kvno 107) in keytab 
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
> rowland, you are right we have before migrated the old samba3 domain 
> to a new UCS (univention).
Then a question:

Are you paying UCS anything ?

If so, get them to sort it out for you, that is what you are paying for.

If not, then post the smb.conf from the UCS machine and the smb.conf 
from the old machine.

Rowland

Hai,  

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 26 september 2019 11:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] access to share with dns alias hostname
> 
> On 26/09/2019 10:25, L.P.H. van Belle via samba wrote:
> > For this to work
> >
> > Below shows a A on the old hostname, correct ?
> > With the "netbios alias" used in samba.
> >
> > Setup like this :
> > The new server..
> > hostname => DNS A
> > IP	   => DNS PTR
> > Netbios Alias    => CNAME OLDSERVERNAME
> >
> > And try again.
> > Remove the A/PTR of the old hostname also.
> > Only a CNAME is sufficient..
> >
> > Note, the new server MUST have A and PTR setup.
> Will this work ? what about the kerberos ticket ?
Yes, if you access a server through its CNAME, the CNAME will resolve back 
to the original hostname and its A and PTR record, which makes kerberos work. 
> >
> > optional, set dns proxy = yes in smb.conf
> 
> If unset, that is the default, but it is an 'nmbd' thing and I am
not
> sure if 'nbt' on a DC has the required code.
As far i see here this only works on members. 
> 
> It sounds to me that the OP has classicupgraded an NT4-style 
> domain to 
> an AD domain. If so, then unless he has modified the 
> smb.conf, the old 
> machine will still be running as a PDC.
> 
> I think he needs to give us more info.
Yes, that also.. 
> 
> Starting with the smb.conf from the new AD DC and the old PDC.
> 
> Rowland
> 
> 
> >
> >
> >
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hi, below the required files:

smb.conf of ucs master:

[global]
        logging         = file
        max log size    = 0
        netbios name    = ucs
        server role     = active directory domain controller
        name resolve order      = wins host bcast
        server string   = Univention Corporate Server
        server services = -dns -smb +s3fs -nbt
        server role check:inhibit = yes
        # use nmbd; to disable set samba4/service/nmb to s4
        nmbd_proxy_logon:cldap_server=127.0.0.1
        workgroup       = LAN
        realm           = LAN.CORP
        tls enabled     = yes
        tls keyfile     = /etc/univention/ssl/
ucsdc.comune.padova.it/private.key
        tls certfile    = /etc/univention/ssl/
ucsdc.comune.padova.it/cert.pem
        tls cafile      = /etc/univention/ssl/ucsCA/CAcert.pem
        tls verify peer = ca_and_name
        ldap server require strong auth = no
        dsdb:schema update allowed = no
        max open files = 32808
        ntlm auth       = yes
        machine password timeout        = 0
        acl allow execute always = True
        # ignore interfaces in samba/register/exclude/interfaces
        bind interfaces only = yes
        interfaces = lo eth0
        kccsrv:samba_kcc = False
        debug hirestimestamp = yes
        debug pid = yes
        winbind separator = +
        template shell = /bin/bash
        template homedir = /home/%D-%U
        idmap config * : backend = tdb
        idmap config * : range = 300000-400000

        passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*password*changed*

        obey pam restrictions = yes
        encrypt passwords = yes

        spoolss: architecture = Windows x64

        ; domain service lookup related settings
        preferred master = yes
        local master = yes
        domain master = yes
        wins support = yes

        ; miscellaneous settings, mostly for file services
        oplocks = yes
        large readwrite = yes
        read raw = yes
        write raw = yes
        max xmit = 65535
        acl:search = no
        host msdfs = yes
        kernel oplocks = yes
        deadtime = 15
        getwd cache = yes
        wide links = no
        store dos attributes = yes
        logon home = \\ucs\%U
        logon drive = I:
        logon path = \\ucs\%U\windows-profiles\%a
        preserve case = yes
        short preserve case = yes
        guest account = nobody
        map to guest = Bad User
        admin users = administrator join-backup
        usershare max shares = 0


smb.conf of new member server:

[global]
  workgroup = LAN
  realm = lan.corp
  netbios name = fs1
  netbios aliases = oldsamba3
  security = ADS

  logging = file
  log level = 1 auth_audit:3
  log file = /var/log/samba/%m.log

  idmap config *:backend = tdb
  idmap config *:range = 300000-400000

  idmap config LAN:backend  = rid
  idmap config LAN:range  = 500000-700000

  vfs objects = acl_xattr full_audit
  map acl inherit = Yes
  store dos attributes = Yes

  winbind separator = +
  winbind use default domain = yes
  winbind offline logon = yes
  winbind cache time = 3600
  winbind enum groups = yes
  winbind enum users = yes

  template homedir = /home/%U
  usershare allow guests = yes
  usershare path 
  username map = /etc/samba/user.map



Il giorno gio 26 set 2019 alle ore 13:05 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 26/09/2019 11:44, banda bassotti wrote:
> > Hi, no it doesn't work:
> >
> > [2019/09/26 12:06:18.715651,  1]
> > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> >   gss_accept_sec_context failed with [ Miscellaneous failure (see
> > text): Failed to find cifs/oldsamba at lan.corp(kvno 107) in keytab
> > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >
> > rowland, you are right we have before migrated the old samba3 domain
> > to a new UCS (univention).
>
> Then a question:
>
> Are you paying UCS anything ?
>
> If so, get them to sort it out for you, that is what you are paying for.
>
> If not, then post the smb.conf from the UCS machine and the smb.conf
> from the old machine.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>