L.P.H. van Belle
2019-Nov-05 11:40 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Ok, you did to much as far i can tell.
You want to see this: i'll show my output, then i is better to see what i
mean.
this is where you start with.
klist -ke |sort ( default member )
---- --------------------------------------------------------------------------
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
(aes128-cts-hmac-sha1-96)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
(aes256-cts-hmac-sha1-96)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
In my case. my servers "real" name is hostname1 and i have an alias,
lets say mycrazyserver
/etc/hosts
127.0.0.1 localhost
192.168.0.1 hostname1.internal.domain.tld hostname1
mycrazyserver.internal.domain.tld
Host format:
IP REAL_HOSTNAME_FQDN ALIAS ALIAS
Note, adding mycrazyserver.internal.domain.tld should not be needed, because
that is resolved through dns.
ping mycrazyserver.internal.domain.tld will respond its reply with
hostname1.internal.domain.tld hostname1
If you add CIFS to you keytab you want to see :
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
(aes128-cts-hmac-sha1-96)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
(aes256-cts-hmac-sha1-96)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
( + whats above )
Thats it..
So you output should look like this.
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
So try again. ;-)
Greetz,
Louis
________________________________
Van: banda bassotti [mailto:bandabasotti at gmail.com]
Verzonden: dinsdag 5 november 2019 12:06
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in
keytab
Luis, thank you very much, I followed the procedure step by step (which I had
already done) but unfortunately I always have the same error:
[2019/11/05 11:49:47.748159, 1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed
to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab
(arcfour-hmac-md5)]
please pay attention to (kvno 113) the problem is here and not the keytab file.
klist -ke /etc/krb5.keyatb
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
to temporary solve this problem I must extract the keytab of the oldsamba from
the domain controller and import with ktutil:
# ktutil
ktutil: rkt oldsamba.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 112 cifs/oldsamba at DOM.CORP
2 112 cifs/oldsamba at DOM.CORP
3 112 cifs/oldsamba at DOM.CORP
4 113 cifs/oldsamba at DOM.CORP
5 113 cifs/oldsamba at DOM.CORP
6 113 cifs/oldsamba at DOM.CORP
please note the kvno column.
Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at
bazuin.nl> ha scritto:
Hai,
I've re-read you thread, and there are a few things going-on..
I suggest you do the following..
Change these.
/etc/krb5.conf
[libdefaults]
default_realm = DOM.CORP
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
kdc_timesync = 1
debug = false
/etc/samba/smb.conf
[Global]
workgroup = WG1
realm = DOM.CORP
# Netbios names in CAPS, see..
#
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
#
https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
# Verify in DNS the following, A - PTR records for netbios name, setup
CNAME for all alias-names,
# point CNAME to the A record if which the PTR also exists..
netbios name = FS-A
netbios aliases = OLDSAMBA
security = ADS
#
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
ON THIS MEMBER... ( you dont run : samba-tool spn list ..... )
You run : net ads keytab
cp /etc/krb5.keytab{,.backup}
kinit Administrator
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
Verify this keytab.
klist -ke /etc/krb5.keytab2
You want to see :
host/NETBIOSNAME at DOM.CORP ( x5 )
host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
NETBIOSNAME$@DOM.CORP ( x5 )
This you see these.. Then run this to add the cifs keytab.
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
cifs/fs-a.yourdns.domain.tld
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$
Verify the keytab file again.
klist -ke /etc/krb5.keytab2
If it all looks good.
Stop all samba service
rm /etc/krb5.keytab .. ( a backupfile is made if you followed above )
mv /etc/krb5.keytab2 /etc/krb5.keytab
That "should" do the trick..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> banda bassotti via samba
> Verzonden: dinsdag 5 november 2019 9:49
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp
> (kvno 109) in keytab
>
> hi, nothing to do, despite having set winbind not to change
> the machine
> password the behavior is the same. I do not know what to do.
> other ideas?
>
> thnx.
>
> Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti <
> bandabasotti at gmail.com> ha scritto:
>
> > Hi, the problem seems to be related to this bug:
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=6750
> >
> > I try therefore to set
> >
> > machine password timeout = 0
> >
> >
> >
> > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba
<
> > samba at lists.samba.org> ha scritto:
> >
> >> On 29/10/2019 10:04, banda bassotti wrote:
> >> > I had already done it:
> >> >
> >> > # samba-tool spn list newsamba\$
> >> > newsamba$
> >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the
following
> >> > servicePrincipalName:
> >> > HOST/NEWSAMBA
> >> > HOST/newsamba.domain.corp
> >> > cifs/oldsamba at DOMAIN.CORP
> >> > cifs/oldsamba.domain.corp at DOMAIN.CORP
> >>
> >> From your log fragment, it appears to be looking for
> >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You
will
> probably have to
> >> remove the lowercase version SPN and replace it with the
uppercase
> >> version.
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read
the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
banda bassotti
2019-Nov-05 12:17 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP klist 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac) 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc) 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) systemctl start nmbd smbd winbind test from windows machine: [2019/11/05 13:14:49.108879, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <belle at bazuin.nl> ha scritto:> Ok, you did to much as far i can tell. > > You want to see this: i'll show my output, then i is better to see what i > mean. > > this is where you start with. > klist -ke |sort ( default member ) > ---- > -------------------------------------------------------------------------- > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5) > > In my case. my servers "real" name is hostname1 and i have an alias, lets > say mycrazyserver > > /etc/hosts > 127.0.0.1 localhost > 192.168.0.1 hostname1.internal.domain.tld hostname1 > mycrazyserver.internal.domain.tld > Host format: > IP REAL_HOSTNAME_FQDN ALIAS ALIAS > > Note, adding mycrazyserver.internal.domain.tld should not be needed, > because that is resolved through dns. > > ping mycrazyserver.internal.domain.tld will respond its reply with > hostname1.internal.domain.tld hostname1 > > If you add CIFS to you keytab you want to see : > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) > ( + whats above ) > > Thats it.. > > So you output should look like this. > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > So try again. ;-) > > Greetz, > > Louis > > > > > > ________________________________ > > Van: banda bassotti [mailto:bandabasotti at gmail.com] > Verzonden: dinsdag 5 november 2019 12:06 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > > Luis, thank you very much, I followed the procedure step by step > (which I had already done) but unfortunately I always have the same error: > > > [2019/11/05 11:49:47.748159, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > gss_accept_sec_context failed with [ Miscellaneous failure (see > text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > please pay attention to (kvno 113) the problem is here and not the > keytab file. > > > klist -ke /etc/krb5.keyatb > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > > > to temporary solve this problem I must extract the keytab of the > oldsamba from the domain controller and import with ktutil: > > # ktutil > ktutil: rkt oldsamba.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 112 cifs/oldsamba at DOM.CORP > 2 112 cifs/oldsamba at DOM.CORP > 3 112 cifs/oldsamba at DOM.CORP > 4 113 cifs/oldsamba at DOM.CORP > 5 113 cifs/oldsamba at DOM.CORP > 6 113 cifs/oldsamba at DOM.CORP > > > please note the kvno column. > > > Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle < > belle at bazuin.nl> ha scritto: > > > Hai, > > I've re-read you thread, and there are a few things > going-on.. > I suggest you do the following.. > > Change these. > > /etc/krb5.conf > [libdefaults] > default_realm = DOM.CORP > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > kdc_timesync = 1 > debug = false > > > /etc/samba/smb.conf > [Global] > workgroup = WG1 > realm = DOM.CORP > # Netbios names in CAPS, see.. > # > https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx > # > https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > # Verify in DNS the following, A - PTR records for > netbios name, setup CNAME for all alias-names, > # point CNAME to the A record if which the PTR also > exists.. > netbios name = FS-A > netbios aliases = OLDSAMBA > security = ADS > # > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > # renew the kerberos ticket > winbind refresh tickets = yes > > > ON THIS MEMBER... ( you dont run : samba-tool spn list > ..... ) > You run : net ads keytab > > cp /etc/krb5.keytab{,.backup} > kinit Administrator > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P > > Verify this keytab. > klist -ke /etc/krb5.keytab2 > > You want to see : > host/NETBIOSNAME at DOM.CORP ( x5 ) > host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) > NETBIOSNAME$@DOM.CORP ( x5 ) > > This you see these.. Then run this to add the cifs > keytab. > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/fs-a.yourdns.domain.tld > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/FS-A$ > > Verify the keytab file again. > klist -ke /etc/krb5.keytab2 > > If it all looks good. > > Stop all samba service > rm /etc/krb5.keytab .. ( a backupfile is made if you > followed above ) > mv /etc/krb5.keytab2 /etc/krb5.keytab > > > That "should" do the trick.. > > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] > Namens > > banda bassotti via samba > > Verzonden: dinsdag 5 november 2019 9:49 > > Aan: Rowland penny > > CC: sambalist > > Onderwerp: Re: [Samba] Failed to find > cifs/fs-share at dom.corp > > (kvno 109) in keytab > > > > hi, nothing to do, despite having set winbind not to > change > > the machine > > password the behavior is the same. I do not know what to > do. > > other ideas? > > > > thnx. > > > > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti < > > bandabasotti at gmail.com> ha scritto: > > > > > Hi, the problem seems to be related to this bug: > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > > > I try therefore to set > > > > > > machine password timeout = 0 > > > > > > > > > > > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny > via samba < > > > samba at lists.samba.org> ha scritto: > > > > > >> On 29/10/2019 10:04, banda bassotti wrote: > > >> > I had already done it: > > >> > > > >> > # samba-tool spn list newsamba\$ > > >> > newsamba$ > > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has > the following > > >> > servicePrincipalName: > > >> > HOST/NEWSAMBA > > >> > HOST/newsamba.domain.corp > > >> > cifs/oldsamba at DOMAIN.CORP > > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP > > >> > > >> From your log fragment, it appears to be looking for > > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You > will > > probably have to > > >> remove the lowercase version SPN and replace it with > the uppercase > > >> version. > > >> > > >> Rowland > > >> > > >> > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL > and read the > > >> instructions: > https://lists.samba.org/mailman/options/samba > > >> > > > > > -- > > To unsubscribe from this list go to the following URL > and read the > > instructions: > https://lists.samba.org/mailman/options/samba > > > > > > > > >
L.P.H. van Belle
2019-Nov-05 12:43 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Hai,
Nope.. To much again ;-)
This is one step to much:
step2:
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp
at DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at
DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP
And why are you adding @REALM .. Do it exactly as shown below.
Because a CNAME resolves to the REAL hostname it's A record, then Kerberos
used the A of the real hostname and (might) verify the PTR also.
So again and exactly as show, because your "Default realm" is used
automaticly.
kinit Administrator
*(you see here: Password for Administrator at REALM: )
stop samba and related services.
rm /etc/krb5.keytab2
rm /etc/krb5.keytab
# i change the keytab to the needed name (/etc/krb5.keytab)
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
net ads keytab create cifs/$(hostname -f)
Verify the output.
klist -ke /etc/krb5.keytab | sort
If you see the ALIAS hostname "oldsamba" again in the keytab file.
Then removed from smb.conf :
netbios aliases = OLDSAMBA
Verify the DNS and make sure your realhostname does have the A and PTR records
set.
And remove all A/PTR related records to OLDSAMBA.
Add the CNAME for OLDSAMBA and point to the realhostname.
Restart samba, repeat above.
Still failing..
Then get this script:
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Run it, anonymize it and post the output.
Greetz,
Louis
________________________________
Van: banda bassotti [mailto:bandabasotti at gmail.com]
Verzonden: dinsdag 5 november 2019 13:18
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in
keytab
Luis, ok I'v removed everything, step 1:
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
klist -ke /etc/krb5.keytab2|grep 7|sort
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
step2:
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp
at DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at
DOM.CORP
# KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP
klist
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba$@DOM.CORP (arcfour-hmac)
7 cifs/oldsamba$@DOM.CORP (des-cbc-crc)
7 cifs/oldsamba$@DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
systemctl start nmbd smbd winbind
test from windows machine:
[2019/11/05 13:14:49.108879, 1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed
to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab
(arcfour-hmac-md5)]
Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <belle at
bazuin.nl> ha scritto:
Ok, you did to much as far i can tell.
You want to see this: i'll show my output, then i is better to see what i
mean.
this is where you start with.
klist -ke |sort ( default member )
----
--------------------------------------------------------------------------
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
(aes128-cts-hmac-sha1-96)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
(aes256-cts-hmac-sha1-96)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac)
3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc)
3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5)
In my case. my servers "real" name is hostname1 and i have an alias,
lets say mycrazyserver
/etc/hosts
127.0.0.1 localhost
192.168.0.1 hostname1.internal.domain.tld hostname1
mycrazyserver.internal.domain.tld
Host format:
IP REAL_HOSTNAME_FQDN ALIAS ALIAS
Note, adding mycrazyserver.internal.domain.tld should not be needed, because
that is resolved through dns.
ping mycrazyserver.internal.domain.tld will respond its reply with
hostname1.internal.domain.tld hostname1
If you add CIFS to you keytab you want to see :
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
(aes128-cts-hmac-sha1-96)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD
(aes256-cts-hmac-sha1-96)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc)
3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5)
( + whats above )
Thats it..
So you output should look like this.
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
So try again. ;-)
Greetz,
Louis
________________________________
Van: banda bassotti [mailto:bandabasotti at gmail.com]
Verzonden: dinsdag 5 november 2019 12:06
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno
109) in keytab
Luis, thank you very much, I followed the procedure step by step
(which I had already done) but unfortunately I always have the same error:
[2019/11/05 11:49:47.748159, 1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
please pay attention to (kvno 113) the problem is here and not the
keytab file.
klist -ke /etc/krb5.keyatb
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc)
7 cifs/FS-A at DOM.CORP (des-cbc-crc)
7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5)
7 cifs/FS-A at DOM.CORP (des-cbc-md5)
7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac)
7 cifs/FS-A at DOM.CORP (arcfour-hmac)
7 FS-A$@DOM.CORP (des-cbc-crc)
7 FS-A$@DOM.CORP (des-cbc-md5)
7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96)
7 FS-A$@DOM.CORP (arcfour-hmac)
7 host/FS-A at DOM.CORP (des-cbc-crc)
7 host/FS-A at DOM.CORP (des-cbc-md5)
7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96)
7 host/FS-A at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
7 cifs/oldsamba at DOM.CORP (des-cbc-crc)
7 cifs/oldsamba at DOM.CORP (des-cbc-md5)
7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96)
7 cifs/oldsamba at DOM.CORP (arcfour-hmac)
to temporary solve this problem I must extract the keytab of the
oldsamba from the domain controller and import with ktutil:
# ktutil
ktutil: rkt oldsamba.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 112 cifs/oldsamba at DOM.CORP
2 112 cifs/oldsamba at DOM.CORP
3 112 cifs/oldsamba at DOM.CORP
4 113 cifs/oldsamba at DOM.CORP
5 113 cifs/oldsamba at DOM.CORP
6 113 cifs/oldsamba at DOM.CORP
please note the kvno column.
Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at
bazuin.nl> ha scritto:
Hai,
I've re-read you thread, and there are a few things
going-on..
I suggest you do the following..
Change these.
/etc/krb5.conf
[libdefaults]
default_realm = DOM.CORP
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
kdc_timesync = 1
debug = false
/etc/samba/smb.conf
[Global]
workgroup = WG1
realm = DOM.CORP
# Netbios names in CAPS, see..
#
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
#
https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
# Verify in DNS the following, A - PTR records for netbios
name, setup CNAME for all alias-names,
# point CNAME to the A record if which the PTR also
exists..
netbios name = FS-A
netbios aliases = OLDSAMBA
security = ADS
#
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
ON THIS MEMBER... ( you dont run : samba-tool spn list ..... )
You run : net ads keytab
cp /etc/krb5.keytab{,.backup}
kinit Administrator
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P
Verify this keytab.
klist -ke /etc/krb5.keytab2
You want to see :
host/NETBIOSNAME at DOM.CORP ( x5 )
host/fqdn.hostname.dom.tld at DOM.CORP ( x5 )
NETBIOSNAME$@DOM.CORP ( x5 )
This you see these.. Then run this to add the cifs keytab.
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
cifs/fs-a.yourdns.domain.tld
KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD
cifs/FS-A$
Verify the keytab file again.
klist -ke /etc/krb5.keytab2
If it all looks good.
Stop all samba service
rm /etc/krb5.keytab .. ( a backupfile is made if you followed
above )
mv /etc/krb5.keytab2 /etc/krb5.keytab
That "should" do the trick..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org]
Namens
> banda bassotti via samba
> Verzonden: dinsdag 5 november 2019 9:49
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at
dom.corp
> (kvno 109) in keytab
>
> hi, nothing to do, despite having set winbind not to
change
> the machine
> password the behavior is the same. I do not know what to
do.
> other ideas?
>
> thnx.
>
> Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti
<
> bandabasotti at gmail.com> ha scritto:
>
> > Hi, the problem seems to be related to this bug:
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=6750
> >
> > I try therefore to set
> >
> > machine password timeout = 0
> >
> >
> >
> > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland
penny via samba <
> > samba at lists.samba.org> ha scritto:
> >
> >> On 29/10/2019 10:04, banda bassotti wrote:
> >> > I had already done it:
> >> >
> >> > # samba-tool spn list newsamba\$
> >> > newsamba$
> >> > User
CN=newsamba,CN=Computers,DC=domain,DC=corp has the following
> >> > servicePrincipalName:
> >> > HOST/NEWSAMBA
> >> > HOST/newsamba.domain.corp
> >> > cifs/oldsamba at DOMAIN.CORP
> >> > cifs/oldsamba.domain.corp at
DOMAIN.CORP
> >>
> >> From your log fragment, it appears to be
looking for
> >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case
matters. You will
> probably have to
> >> remove the lowercase version SPN and replace it
with the uppercase
> >> version.
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the
following URL and read the
> >> instructions:
https://lists.samba.org/mailman/options/samba
> >>
> >
> --
> To unsubscribe from this list go to the following URL and
read the
> instructions:
https://lists.samba.org/mailman/options/samba
>
>
Rowland penny
2019-Nov-05 12:55 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 05/11/2019 12:17, banda bassotti via samba wrote:> Luis, ok I'v removed everything, step 1: > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -PI have said this once already, but, I will try again ;-) You are creating a keytab, which may or may not be called /etc/krb5.keytab2> step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba.dom.corp at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba$@DOM.CORPYou then add to the keytab> test from windows machine: > > [2019/11/05 13:14:49.108879, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]Then something reads the keytab in memory and cannot find the required SPN, or to put it another way, whatever is trying to find the SPN isn't reading the keytab you created above, it is reading the one in memory. I did ask just what you are doing, but never got an answer. Rowland
banda bassotti
2019-Nov-05 13:49 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
systemctl stop nmbd smbd winbind rm -f /etc/krb5.keyatb* KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P net ads keytab create cifs/$(hostname -f) klist -ke /etc/krb5.keytab | sort ---- -------------------------------------------------------------------------- 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) Keytab name: FILE:/etc/krb5.keytab KVNO Principal systemctl start nmbd smbd winbind # host oldsamba oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. fs-a.dom.corp has address 10.0.0.2 $ kinit testuser $ smbclient //oldsamba/testuser -k -c 'ls' Unable to initialize messaging context session setup failed: NT_STATUS_LOGON_FAILURE [2019/11/05 14:32:18.863122, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2019/11/05 14:32:18.863192, 1] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE attached the samba-debug-info.txt Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <belle at bazuin.nl> ha scritto:> Hai, > > Nope.. To much again ;-) > > This is one step to much: > step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba.dom.corp at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba$@DOM.CORP > > And why are you adding @REALM .. Do it exactly as shown below. > > Because a CNAME resolves to the REAL hostname it's A record, then Kerberos > used the A of the real hostname and (might) verify the PTR also. > > So again and exactly as show, because your "Default realm" is used > automaticly. > > kinit Administrator > *(you see here: Password for Administrator at REALM: ) > > stop samba and related services. > > rm /etc/krb5.keytab2 > rm /etc/krb5.keytab > > # i change the keytab to the needed name (/etc/krb5.keytab) > KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P > > net ads keytab create cifs/$(hostname -f) > > Verify the output. > klist -ke /etc/krb5.keytab | sort > > If you see the ALIAS hostname "oldsamba" again in the keytab file. > Then removed from smb.conf : > > netbios aliases = OLDSAMBA > > Verify the DNS and make sure your realhostname does have the A and PTR > records set. > And remove all A/PTR related records to OLDSAMBA. > Add the CNAME for OLDSAMBA and point to the realhostname. > > Restart samba, repeat above. > > Still failing.. > Then get this script: > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > Run it, anonymize it and post the output. > > > Greetz, > > Louis > > > > ________________________________ > > Van: banda bassotti [mailto:bandabasotti at gmail.com] > Verzonden: dinsdag 5 november 2019 13:18 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > > Luis, ok I'v removed everything, step 1: > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P > > klist -ke /etc/krb5.keytab2|grep 7|sort > > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > > step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba.dom.corp at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba$@DOM.CORP > > > klist > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > systemctl start nmbd smbd winbind > > test from windows machine: > > [2019/11/05 13:14:49.108879, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see > text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle < > belle at bazuin.nl> ha scritto: > > > Ok, you did to much as far i can tell. > > You want to see this: i'll show my output, then i is > better to see what i mean. > > this is where you start with. > klist -ke |sort ( default member ) > ---- > -------------------------------------------------------------------------- > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (arcfour-hmac) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (des-cbc-crc) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (des-cbc-md5) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5) > > In my case. my servers "real" name is hostname1 and i have > an alias, lets say mycrazyserver > > /etc/hosts > 127.0.0.1 localhost > 192.168.0.1 hostname1.internal.domain.tld hostname1 > mycrazyserver.internal.domain.tld > Host format: > IP REAL_HOSTNAME_FQDN ALIAS ALIAS > > Note, adding mycrazyserver.internal.domain.tld should not > be needed, because that is resolved through dns. > > ping mycrazyserver.internal.domain.tld will respond its > reply with hostname1.internal.domain.tld hostname1 > > If you add CIFS to you keytab you want to see : > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (arcfour-hmac) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (des-cbc-crc) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (des-cbc-md5) > ( + whats above ) > > Thats it.. > > So you output should look like this. > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < > double = wrong > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < > double = wrong > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (arcfour-hmac) < double > = wrong > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-crc) < double > = wrong > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (des-cbc-md5) < double > = wrong > 7 host/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > So try again. ;-) > > Greetz, > > Louis > > > > > > ________________________________ > > Van: banda bassotti [mailto:bandabasotti at gmail.com] > > Verzonden: dinsdag 5 november 2019 12:06 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find > cifs/fs-share at dom.corp (kvno 109) in keytab > > > Luis, thank you very much, I followed the > procedure step by step (which I had already done) but unfortunately I > always have the same error: > > > [2019/11/05 11:49:47.748159, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > gss_accept_sec_context failed with [ > Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno > 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > please pay attention to (kvno 113) the problem is > here and not the keytab file. > > > klist -ke /etc/krb5.keyatb > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > > > to temporary solve this problem I must extract the > keytab of the oldsamba from the domain controller and import with ktutil: > > # ktutil > ktutil: rkt oldsamba.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 112 cifs/oldsamba at DOM.CORP > 2 112 cifs/oldsamba at DOM.CORP > 3 112 cifs/oldsamba at DOM.CORP > 4 113 cifs/oldsamba at DOM.CORP > 5 113 cifs/oldsamba at DOM.CORP > 6 113 cifs/oldsamba at DOM.CORP > > > please note the kvno column. > > > Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van > Belle <belle at bazuin.nl> ha scritto: > > > Hai, > > I've re-read you thread, and there are a > few things going-on.. > I suggest you do the following.. > > Change these. > > /etc/krb5.conf > [libdefaults] > default_realm = DOM.CORP > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > kdc_timesync = 1 > debug = false > > > /etc/samba/smb.conf > [Global] > workgroup = WG1 > realm = DOM.CORP > # Netbios names in CAPS, see.. > # > https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx > # > https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > # Verify in DNS the following, A - PTR > records for netbios name, setup CNAME for all alias-names, > # point CNAME to the A record if which > the PTR also exists.. > netbios name = FS-A > netbios aliases = OLDSAMBA > security = ADS > # > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > # renew the kerberos ticket > winbind refresh tickets = yes > > > ON THIS MEMBER... ( you dont run : > samba-tool spn list ..... ) > You run : net ads keytab > > cp /etc/krb5.keytab{,.backup} > kinit Administrator > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads > keytab CREATE -P > > Verify this keytab. > klist -ke /etc/krb5.keytab2 > > You want to see : > host/NETBIOSNAME at DOM.CORP ( x5 ) > host/fqdn.hostname.dom.tld at DOM.CORP ( x5 > ) > NETBIOSNAME$@DOM.CORP ( x5 ) > > This you see these.. Then run this to add > the cifs keytab. > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads > keytab ADD cifs/fs-a.yourdns.domain.tld > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads > keytab ADD cifs/FS-A$ > > Verify the keytab file again. > klist -ke /etc/krb5.keytab2 > > If it all looks good. > > Stop all samba service > rm /etc/krb5.keytab .. ( a backupfile is > made if you followed above ) > mv /etc/krb5.keytab2 /etc/krb5.keytab > > > That "should" do the trick.. > > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto: > samba-bounces at lists.samba.org] Namens > > banda bassotti via samba > > Verzonden: dinsdag 5 november 2019 9:49 > > Aan: Rowland penny > > CC: sambalist > > Onderwerp: Re: [Samba] Failed to find > cifs/fs-share at dom.corp > > (kvno 109) in keytab > > > > hi, nothing to do, despite having set > winbind not to change > > the machine > > password the behavior is the same. I do > not know what to do. > > other ideas? > > > > thnx. > > > > Il giorno mar 29 ott 2019 alle ore 11:37 > banda bassotti < > > bandabasotti at gmail.com> ha scritto: > > > > > Hi, the problem seems to be related to > this bug: > > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > > > I try therefore to set > > > > > > machine password timeout = 0 > > > > > > > > > > > > Il giorno mar 29 ott 2019 alle ore > 11:11 Rowland penny via samba < > > > samba at lists.samba.org> ha scritto: > > > > > >> On 29/10/2019 10:04, banda bassotti > wrote: > > >> > I had already done it: > > >> > > > >> > # samba-tool spn list newsamba\$ > > >> > newsamba$ > > >> > User > CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > > >> > servicePrincipalName: > > >> > HOST/NEWSAMBA > > >> > HOST/newsamba.domain.corp > > >> > cifs/oldsamba at DOMAIN.CORP > > >> > > cifs/oldsamba.domain.corp at DOMAIN.CORP > > >> > > >> From your log fragment, it appears > to be looking for > > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the > case matters. You will > > probably have to > > >> remove the lowercase version SPN and > replace it with the uppercase > > >> version. > > >> > > >> Rowland > > >> > > >> > > >> > > >> -- > > >> To unsubscribe from this list go to > the following URL and read the > > >> instructions: > https://lists.samba.org/mailman/options/samba > > >> > > > > > -- > > To unsubscribe from this list go to the > following URL and read the > > instructions: > https://lists.samba.org/mailman/options/samba > > > > > > > > > > > >-------------- next part -------------- Collected config --- 2019-11-05-14:41 ----------- Hostname: fs-a DNS Domain: dom.corp FQDN: fs-a.dom.corp ipaddress: 10.0.0.2 ----------- Kerberos SRV _kerberos._tcp.dom.corp record verified ok, sample output: _kerberos._tcp.dom.corp has SRV record 0 100 88 ucsdc.dom.corp. _kerberos._tcp.dom.corp has SRV record 0 100 88 ucs-gozzi-sl1.dom.corp. Samba is running as a Unix domain member ----------- Checking file: /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ----------- This computer is running Debian 10.1 x86_64 ----------- running command : ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b2:1b:04:2a:5f:7d brd ff:ff:ff:ff:ff:ff inet 10.0.0.2/24 brd 10.10.21.255 scope global ens18 inet6 fe80::b01b:4ff:fe2a:5f7d/64 scope link 3: ens19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 5a:dc:b7:6c:14:3c brd ff:ff:ff:ff:ff:ff ----------- Checking file: /etc/hosts 127.0.0.1 localhost 10.0.0.2 fs-a.dom.corp fs-a oldsamba # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ----------- Checking file: /etc/resolv.conf search dom.corp nameserver 10.10.21.25 nameserver 10.10.20.87 ----------- Checking file: /etc/krb5.conf [libdefaults] default_realm = DOM.CORP dns_lookup_realm = false dns_lookup_kdc = true forwardable = true proxiable = true kdc_timesync = 1 debug = false ----------- Checking file: /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ----------- Checking file: /etc/samba/smb.conf # # 04/09/2019 # [global] workgroup = DOM realm = DOM.CORP netbios name = FS-A netbios aliases = OLDSAMBA security = ADS logging = file log level = 1 auth_audit:3 winbind:5 log file = /var/log/samba/%m.log idmap config *:backend = tdb idmap config *:range = 700001-800000 idmap config DOM:backend = rid idmap config DOM:range = 10000-700000 vfs objects = acl_xattr full_audit map acl inherit = Yes store dos attributes = Yes winbind separator = + winbind use default domain = yes winbind offline logon = yes winbind cache time = 86400 winbind enum groups = yes winbind enum users = yes winbind expand groups = 1 winbind refresh tickets = yes template homedir = /home/%U template shell = /bin/bash getwd cache = yes usershare allow guests = yes usershare path username map = /etc/samba/user.map full_audit:failure=none full_audit:success=mkdir rmdir read pread write pwrite rename unlink full_audit:prefix=IP=%I|USER=%u|MACHINE=%m|VOLUME=%S full_audit:facility=local7 full_audit:priority=notice load printers = no kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab [homes] comment = %U Home Directory browseable = No writable = Yes valid users = %S create mask = 0644 directory mask = 0700 available = yes path = /home/%S [SHARES$] path = /share browseable = No writeable = yes nt acl support = yes valid users = @"dom+domain admins" ----------- Running as Unix domain member and user.map detected. Contents of /etc/samba/user.map !root = DOM\Administrator Server Role is set to : auto ----------- Installed packages: ii acl 2.2.53-4 amd64 access control list - utilities ii attr 1:2.4.48-4 amd64 utilities for manipulating filesystem extended attributes ii krb5-config 2.6 all Configuration files for Kerberos Version 5 ii krb5-locales 1.17-3 all internationalization support for MIT Kerberos ii krb5-user 1.17-3 amd64 basic programs to authenticate using MIT Kerberos ii libacl1:amd64 2.2.53-4 amd64 access control list - shared library ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling - shared library ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos runtime libraries ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos runtime libraries - Support library ii libnss-winbind:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba nameservice integration plugins ii libpam-winbind:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Windows domain authentication integration plugin ii libsmbclient:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 shared library for communication with SMB/CIFS servers ii libwbclient0:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba winbind client library ii python3-samba 2:4.10.10+dfsg-0.1~buster~1 amd64 Python 3 bindings for Samba ii samba 2:4.10.10+dfsg-0.1~buster~1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.10.10+dfsg-0.1~buster~1 all common files used by both the Samba server and client ii samba-common-bin 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.10.10+dfsg-0.1~buster~1 amd64 Samba Virtual FileSystem plugins ii smbclient 2:4.10.10+dfsg-0.1~buster~1 amd64 command-line SMB/CIFS clients for Unix ii winbind 2:4.10.10+dfsg-0.1~buster~1 amd64 service to resolve user and group information from Windows NT servers -----------
L.P.H. van Belle
2019-Nov-05 14:42 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Ok, Your keytab looks ok now. oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. fs-a.dom.corp has address 10.0.0.2 i would have expected here. oldsamba.dom.corp is an alias for fs-a.dom.corp. fs-a.dom.corp has address 10.0.0.2 Or was that a typo? I assuming a typo.. About your setup from the script outpout. Change this one. /etc/hosts 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct Or 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct Here i personaly preffer : 10.0.0.2 fs-a.dom.corp fs-a And add the cname to the DNS. Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry) ALIAS, if you use a "single lable" alias-name, as in, only the hostname-alias without the domain part. Then that hostname can/should only be use on the server, because, its missing the domain part. I do the same here, this is how i use it. ( from a 4.11.2 member to a .. yes 3.6.x server, i still have one running.. :-/ smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls' -k wont work here, dont ask why, that i dont know. To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls' /etc/samba/smb.conf You can remove, these after testing, or set to no and use getent passwd/group username/groupname if you want to see the groups. winbind enum groups = yes winbind enum users = yes Why is this used : getwd cache = yes ? For my understanding, i think you can remove it, because this is should be handled differently in samba4. Your allowing : usershare allow guests = yes but you disable the share location : usershare path = or use it or disabled it, now its?? you tell me.. ;-) . but beside above points your setup looks pretty good. @Rowland, This might help you understanding my responce on this one.> You are creating a keytab, which may or may not be called /etc/krb5.keytab2^^^^^^^^ was only used to not accidently destroy his old keytab file. But since its replaced anyway now. Ps, keytab name is not significant. What is significantis, what is set for : default_keytab_name in krb5.conf Which ofcourse defaults to FILE:/etc/krb5.keytab> > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > Then something reads the keytab in memory and cannot find the > required SPN, or to put it another way, whatever is trying to find the > SPN isn't reading the keytab you created above, it is reading the one in memory.Ok, this part above, yes, your right, its reading in memory, but to my believe, From: kerberos method = secrets and keytab, and as far i know "secrets" = MEMORY but ask youself, why is it using the "oldsamba" name if he is using oldsamba as aliasname. Thats the key here, so conclusion resolving problems/incorrectly setup. So there for im saying. ( typed this before i got the script output ). OLDSAMBA is still in /etc/hosts but before the newHostname Or it still has a dns A record. Or samba is also using the Netbios Alias names while creating keytab entries. ... And this, should in my opinion not happen, so lets wait what comes back. AND his keytab file is still incorrectly setup. And as i saw in the debug script output, i betting now on /etc/hosts that needs fixing. Resume. Change : /etc/hosts # this line to : 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp #Or 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS. Reboot the server or "stop/start" samba ( dont restart ) ! Verify the hostname-alias hosts oldhostname.dom.corp hosts oldhostname And try again. Greetz, Louis ________________________________ Van: banda bassotti [mailto:bandabasotti at gmail.com] Verzonden: dinsdag 5 november 2019 14:49 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab systemctl stop nmbd smbd winbind rm -f /etc/krb5.keyatb* KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P net ads keytab create cifs/$(hostname -f) klist -ke /etc/krb5.keytab | sort ---- -------------------------------------------------------------------------- 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) Keytab name: FILE:/etc/krb5.keytab KVNO Principal systemctl start nmbd smbd winbind # host oldsamba oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. fs-a.dom.corp has address 10.0.0.2 $ kinit testuser $ smbclient //oldsamba/testuser -k -c 'ls' Unable to initialize messaging context session setup failed: NT_STATUS_LOGON_FAILURE [2019/11/05 14:32:18.863122, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2019/11/05 14:32:18.863192, 1] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE attached the samba-debug-info.txt Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <belle at bazuin.nl> ha scritto: Hai, Nope.. To much again ;-) This is one step to much: step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP And why are you adding @REALM .. Do it exactly as shown below. Because a CNAME resolves to the REAL hostname it's A record, then Kerberos used the A of the real hostname and (might) verify the PTR also. So again and exactly as show, because your "Default realm" is used automaticly. kinit Administrator *(you see here: Password for Administrator at REALM: ) stop samba and related services. rm /etc/krb5.keytab2 rm /etc/krb5.keytab # i change the keytab to the needed name (/etc/krb5.keytab) KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P net ads keytab create cifs/$(hostname -f) Verify the output. klist -ke /etc/krb5.keytab | sort If you see the ALIAS hostname "oldsamba" again in the keytab file. Then removed from smb.conf : netbios aliases = OLDSAMBA Verify the DNS and make sure your realhostname does have the A and PTR records set. And remove all A/PTR related records to OLDSAMBA. Add the CNAME for OLDSAMBA and point to the realhostname. Restart samba, repeat above. Still failing.. Then get this script: https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Run it, anonymize it and post the output. Greetz, Louis ________________________________ Van: banda bassotti [mailto:bandabasotti at gmail.com] Verzonden: dinsdag 5 november 2019 13:18 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP klist 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac) 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc) 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) systemctl start nmbd smbd winbind test from windows machine: [2019/11/05 13:14:49.108879, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <belle at bazuin.nl> ha scritto: Ok, you did to much as far i can tell. You want to see this: i'll show my output, then i is better to see what i mean. this is where you start with. klist -ke |sort ( default member ) ---- -------------------------------------------------------------------------- 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac) 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc) 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5) In my case. my servers "real" name is hostname1 and i have an alias, lets say mycrazyserver /etc/hosts 127.0.0.1 localhost 192.168.0.1 hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld Host format: IP REAL_HOSTNAME_FQDN ALIAS ALIAS Note, adding mycrazyserver.internal.domain.tld should not be needed, because that is resolved through dns. ping mycrazyserver.internal.domain.tld will respond its reply with hostname1.internal.domain.tld hostname1 If you add CIFS to you keytab you want to see : 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) ( + whats above ) Thats it.. So you output should look like this. 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) So try again. ;-) Greetz, Louis ________________________________ Van: banda bassotti [mailto:bandabasotti at gmail.com] Verzonden: dinsdag 5 november 2019 12:06 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error: [2019/11/05 11:49:47.748159, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] please pay attention to (kvno 113) the problem is here and not the keytab file. klist -ke /etc/krb5.keyatb Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil: # ktutil ktutil: rkt oldsamba.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 112 cifs/oldsamba at DOM.CORP 2 112 cifs/oldsamba at DOM.CORP 3 112 cifs/oldsamba at DOM.CORP 4 113 cifs/oldsamba at DOM.CORP 5 113 cifs/oldsamba at DOM.CORP 6 113 cifs/oldsamba at DOM.CORP please note the kvno column. Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto: Hai, I've re-read you thread, and there are a few things going-on.. I suggest you do the following.. Change these. /etc/krb5.conf [libdefaults] default_realm = DOM.CORP dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true kdc_timesync = 1 debug = false /etc/samba/smb.conf [Global] workgroup = WG1 realm = DOM.CORP # Netbios names in CAPS, see.. # https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx # https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and # Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names, # point CNAME to the A record if which the PTR also exists.. netbios name = FS-A netbios aliases = OLDSAMBA security = ADS # kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) You run : net ads keytab cp /etc/krb5.keytab{,.backup} kinit Administrator KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P Verify this keytab. klist -ke /etc/krb5.keytab2 You want to see : host/NETBIOSNAME at DOM.CORP ( x5 ) host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) NETBIOSNAME$@DOM.CORP ( x5 ) This you see these.. Then run this to add the cifs keytab. KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ Verify the keytab file again. klist -ke /etc/krb5.keytab2 If it all looks good. Stop all samba service rm /etc/krb5.keytab .. ( a backupfile is made if you followed above ) mv /etc/krb5.keytab2 /etc/krb5.keytab That "should" do the trick.. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > banda bassotti via samba > Verzonden: dinsdag 5 november 2019 9:49 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > hi, nothing to do, despite having set winbind not to change > the machine > password the behavior is the same. I do not know what to do. > other ideas? > > thnx. > > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti < > bandabasotti at gmail.com> ha scritto: > > > Hi, the problem seems to be related to this bug: > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > I try therefore to set > > > > machine password timeout = 0 > > > > > > > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < > > samba at lists.samba.org> ha scritto: > > > >> On 29/10/2019 10:04, banda bassotti wrote: > >> > I had already done it: > >> > > >> > # samba-tool spn list newsamba\$ > >> > newsamba$ > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > >> > servicePrincipalName: > >> > HOST/NEWSAMBA > >> > HOST/newsamba.domain.corp > >> > cifs/oldsamba at DOMAIN.CORP > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP > >> > >> From your log fragment, it appears to be looking for > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will > probably have to > >> remove the lowercase version SPN and replace it with the uppercase > >> version. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Maybe Matching Threads
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab