Hello, I am using Samba as file server as member of a windows domain. Kerberos is configured with kerberos method = secrets and keytab Currently some (not all) users get issues when connecting to samba shares from windows. In the corresponding samba logs I found entries: .... [2020/07/23 12:08:06.697678, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/lpeda1.muc at EUROPE.BMW.CORP(kvno 26) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] [2020/07/23 12:08:06.698028, 1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE ... But when I run net ads keytab list| fgrep 26 | fgrep cifs/lpeda1.muc at EUROPE.BMW.CORP | fgrep aes256-cts-hmac-sha1-96 I get the output 26 aes256-cts-hmac-sha1-96 cifs/lpeda1.muc at EUROPE.BMW.CORP<mailto:cifs/lpeda1.muc at EUROPE.BMW.CORP> So the entry is available in Kerberos keytab, but why does samba fail to find this entry? And why does it work for most users and only some users have this issue? I have restarted samba and cleared all caches, but this does not help. Kind regards Georg
Try net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator And i hope this is not your hostname : lpeda1.muc Because thats a domainname. Also make sure you check the resolving of the A and PTR records Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Georg.Biberger--- via samba > Verzonden: donderdag 23 juli 2020 12:29 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Issue with Keytab memory > > Hello, > > I am using Samba as file server as member of a windows domain. > Kerberos is configured with kerberos method = secrets > and keytab > > Currently some (not all) users get issues when connecting to > samba shares from windows. > In the corresponding samba logs I found entries: > .... > [2020/07/23 12:08:06.697678, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure > (see text): Failed to find > cifs/lpeda1.muc at EUROPE.BMW.CORP(kvno 26) in keytab > MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] > [2020/07/23 12:08:06.698028, 1] > ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI > nit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing > NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > ... > > But when I run > net ads keytab list| fgrep 26 | fgrep > cifs/lpeda1.muc at EUROPE.BMW.CORP | fgrep aes256-cts-hmac-sha1-96 > I get the output > 26 aes256-cts-hmac-sha1-96 > cifs/lpeda1.muc at EUROPE.BMW.CORP<mailto:cifs/lpeda1.muc at EUROPE. > BMW.CORP> > > So the entry is available in Kerberos keytab, but why does > samba fail to find this entry? And why does it work for most > users and only some users have this issue? > > I have restarted samba and cleared all caches, but this does not help. > > Kind regards > > Georg > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 23/07/2020 11:28, Georg.Biberger--- via samba wrote:> Hello, > > I am using Samba as file server as member of a windows domain. > Kerberos is configured with kerberos method = secrets and keytab > > Currently some (not all) users get issues when connecting to samba shares from windows. > In the corresponding samba logs I found entries: > .... > [2020/07/23 12:08:06.697678, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/lpeda1.muc at EUROPE.BMW.CORP(kvno 26) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] > [2020/07/23 12:08:06.698028, 1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > ... > > But when I run > net ads keytab list| fgrep 26 | fgrep cifs/lpeda1.muc at EUROPE.BMW.CORP | fgrep aes256-cts-hmac-sha1-96 > I get the output > 26 aes256-cts-hmac-sha1-96 cifs/lpeda1.muc at EUROPE.BMW.CORP<mailto:cifs/lpeda1.muc at EUROPE.BMW.CORP> > > So the entry is available in Kerberos keytab, but why does samba fail to find this entry? And why does it work for most users and only some users have this issue? > > I have restarted samba and cleared all caches, but this does not help. > > Kind regards > > Georg'secrets and keytab' means look in secrets.tdb first, then in the system keytab. It looks like the required key isn't in the keytab. What OS is this ? What Samba version ? Can you please post your smb.conf. Rowland
Hello,>'secrets and keytab' means look in secrets.tdb first, then in the system >keytab. > >It looks like the required key isn't in the keytab. > >What OS is this ? > >What Samba version ? > >Can you please post your smb.conf. > >RowlandCurrently using Samba 4.10.6 on a LINUX SLES 11 box. (We are currently migrating to SLES 12, but this need some weeks more). smb.conf attached. Kind regards Georg
Hi Louis,>Try > >net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator >And i hope this is not your hostname : lpeda1.muc >Because thats a domainname. > >Also make sure you check the resolving of the A and PTR records > >Greetz, > >LouisMy hostname is lpeda1! hostname returns "lpeda1" hostname -f returns "lpeda1.muc". Is this OK for "net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator" Kind regards Georg
No sorry its wrong.
There are rules to follow to make sure you servers work as they should.
This is covert in the internet standards: Request For Change (RFC).
And per example, these 2 shown RFC's involve the "example" setups.
https://tools.ietf.org/html/rfc2606
https://tools.ietf.org/html/rfc6761
Domain name choices for these examples/howto's.
- StandAlone: Home use: private.example
- StandAlone/Internet/business use : example.tld
- Office domainname office. example.tld
! Dont use .local or .lan these are reserved names for Apple's mDNS
See: https://en.wikipedia.org/wiki/.local and
https://tools.ietf.org/html/rfc6762.
Other good articals with examples:
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx.
And a security consideration: https://www.us-cert.gov/ncas/alerts/TA16-144A
(Leaking DNS info)
And since most of my howto's will involve a Active Directory, this is a must
read :
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
And looking at table 6.2 here:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959336(v=technet.10)
Example of "lables" as mentioned in table 6.2
hostname(=label).office(= label).example(= label).tld( = label)
When you combine these rules, we end up with something like this example:
hostname.office.example.tld
We want to setup so its compatible for any setup.
- hostname , min 1, max 15 characters, a-Z,0-9, -
- DNS domain name, max total FQDN 254 characters, include the dot's.
And 254-15, results in 239 characters left for the domain.tld part.
The FQDN for an Active Directory domain name is limited to 64 bytes,
including the dots, an Active directory server name example :
s4ad01.office.example.tld
I recommend to remove the server from the samba domain, with : net ads remove
Change the hostname on the server, check the dns A and PTR, remove/add the
correct one.s
Reboot the member, verifiy logs and everyting on the old name. Correct that.
Reboot, verify logs again, error free?
Now, you can join samba again.
Then run the command showed and cifs will work.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Georg.Biberger--- via samba
> Verzonden: donderdag 23 juli 2020 14:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Issue with Keytab memory
>
> Hi Louis,
>
> >Try
> >
> >net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator
> >And i hope this is not your hostname : lpeda1.muc
> >Because thats a domainname.
> >
> >Also make sure you check the resolving of the A and PTR records
> >
> >Greetz,
> >
> >Louis
>
> My hostname is lpeda1!
> hostname returns "lpeda1"
> hostname -f returns "lpeda1.muc".
>
> Is this OK for "net ads keytab add_update_ads cifs/$(hostname
> -f) -U Administrator"
>
> Kind regards
>
> Georg
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>