samba - May 2021 - Keytab MEMORY:cifs_srv_keytab is nonexistent or empty

Hello,

We have just upgraded a RHEL 7 to RHEL 8 virtual machine with samba
providing CIFS shares. We already had a hard time setting up sssd to
authenticate against the AD 2012R2 (we followed
https://access.redhat.com/solutions/5728591 )

Now our keytab is fine (enough fine to allow AD users to authenticate)
but we cannot mount samba CIFS shares, with this message in logs :
[2021/05/06 12:03:35.664983,  0]
../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'smbd' finished starting up and ready to serve
connections
[2021/05/06 12:04:04.508781,  0]
../../source3/librpc/crypto/gse.c:606(gse_init_server)
  smb_gss_krb5_import_cred failed with [Unspecified GSS failure.
Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab
is nonexistent or empty]
[2021/05/06 12:04:04.511756,  0]
../../source3/librpc/crypto/gse.c:606(gse_init_server)
  smb_gss_krb5_import_cred failed with [Unspecified GSS failure.
Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab
is nonexistent or empty]

smb.conf looks like :
[global]
kerberos method = secrets and keytab
template homedir = /home/%U@%D
template shell = /bin/bash
security = user
idmap config REALM : schema_mode = rfc2307
idmap config REALM : range = 500-999999
idmap config REALM : backend = ad
idmap config * : range = 10000000-10999999
idmap config * : backend = tdb
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

[Share Tech]
   path = /nfs
   comment = partage nfs
   read only = no
   guest ok = no
   public = yes
   create mask = 0775
   directory mask = 0775
   valid users = @Groups


I haven't been able to figure what this issue might be ? In case
selinux would be implied I tried
https://www.linuxquestions.org/questions/linux-server-73/error-connecting-to-linux-samba-server-from-windows-clients-4175627094/
chcon -t smbd_tmp_t /var/tmp/host_0 with no success.

Thanks for your help,

Jeremy

On 06/05/2021 11:26, Jeremy Monnet via samba wrote:
> Hello,
>
> We have just upgraded a RHEL 7 to RHEL 8 virtual machine with samba
> providing CIFS shares. We already had a hard time setting up sssd to
> authenticate against the AD 2012R2 (we followed
> https://access.redhat.com/solutions/5728591 )

That link is behind a 'paywall' (or similar), but you mention
'samba',
shares' and 'sssd' in the same sentence, are you aware that you can
no
longer use sssd with Samba and shares ?
>
> Now our keytab is fine (enough fine to allow AD users to authenticate)
> but we cannot mount samba CIFS shares, with this message in logs :
> [2021/05/06 12:03:35.664983,  0]
> ../../lib/util/become_daemon.c:136(daemon_ready)
>    daemon_ready: daemon 'smbd' finished starting up and ready to
serve
> connections
> [2021/05/06 12:04:04.508781,  0]
> ../../source3/librpc/crypto/gse.c:606(gse_init_server)
>    smb_gss_krb5_import_cred failed with [Unspecified GSS failure.
> Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab
> is nonexistent or empty]
> [2021/05/06 12:04:04.511756,  0]
> ../../source3/librpc/crypto/gse.c:606(gse_init_server)
>    smb_gss_krb5_import_cred failed with [Unspecified GSS failure.
> Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab
> is nonexistent or empty]
>
> smb.conf looks like :
> [global]
> kerberos method = secrets and keytab
> template homedir = /home/%U@%D
> template shell = /bin/bash
> security = user

For a Unix domain member, it should be 'security = ADS'
> idmap config REALM : schema_mode = rfc2307
> idmap config REALM : range = 500-999999
> idmap config REALM : backend = ad

I take it that you do not have any local Unix users, and it should be 
'DOMAIN' not 'REALM'
> idmap config * : range = 10000000-10999999
> idmap config * : backend = tdb

The default domain '*' is meant for the 'Well Known SIDs' (there
are
less than 200 of those) and anything outside the 'DOMAIN', your default 
range is a bit excessive ?

> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> [Share Tech]
>     path = /nfs
>     comment = partage nfs
>     read only = no
>     guest ok = no
>     public = yes

'guest ok' and 'public' are the same, and you have it as the
default
'no', then 'yes'. Not that it matters because you do not have
'map to
guest = yes' in global, so you will not get guest access.
>     create mask = 0775
>     directory mask = 0775
>     valid users = @Groups
>
>
> I haven't been able to figure what this issue might be ? In case
> selinux would be implied I tried
>
https://www.linuxquestions.org/questions/linux-server-73/error-connecting-to-linux-samba-server-from-windows-clients-4175627094/
> chcon -t smbd_tmp_t /var/tmp/host_0 with no success.
>
> Thanks for your help,
>
> Jeremy
>
Rowland