L.P.H. van Belle
2021-Dec-29 14:07 UTC
[Samba] Domain admin can't access share on samba dm-server
First..
Use FQDN's in you shares.
Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows)
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
klist -ke shows? Can you show the full output.
For cifs (and nfs) you need the spn format like this.
cifs/hostname.internal.domain.tld at REALM.TLD
(net ads adds the REALM part automaticly)
If your host is using an CNAME for cifs then you need to add,
cifs/cname.internal.domain.tld at REALM.TLD also
And its really adviced to give these server a PTR record.
How i do it.
And ALWAYS backup you krb5.keytab file first.
Dont know why sometimes ( in my case ) the KNVO is off
When that happens i restore the original keytab file.
cp /etc/krb5.keytab{,.backup}
kinit Administrator
net ads keytab add_update_ads cifs/$(hostname -f)
Removing wrong entries i do like this, and maybe
someone has beter ideas on this, please add it..
!! MAKE THAT BACKUP FIRST !!
ktutil
rkt /etc/krb5.keytab
? For help.
wkt /etc/krb5.keytab.new
cp /etc/krb5.keytab.new /etc/krb5.keytab
!! If you write the keytab as show above directly into /etc/krb5.keytab
You get everything double.
When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are
wrong.
delent 21 << only one you need.. Just repeat it untill its all gone.
Hope this helped a bit.
Ps. Im picky but..> idmap config buero:range = 10000-99999
> idmap config buero:backend = rid
bero should be BUERO
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou
Points to
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nbte/6f06fa0e-1dc4-4c41-accb-355aaf20546d
Quote from that last page : NetBIOS names are inherently case-sensitive.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: woensdag 29 december 2021 13:03
> Aan: samba
> Onderwerp: [Samba] Domain admin can't access share on samba dm-server
>
>
> windows2019 server, logged in as domain admin
>
> accessing \\pre01svdeb01 fails, I see this in the samba logs:
>
> [2021/12/29 12:57:54.754005, 1]
> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenI
> nit_step)
> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> [2021/12/29 12:57:54.769715, 1]
> ../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab
> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> [2021/12/29 12:57:54.769829, 1]
> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenI
> nit_step)
>
> googled, tried:
>
> # net ads keytab add_update_ads cifs/pre01svdeb01 at mydom.AT -U
> Administrator
>
> Doesn't help
>
> net ads keytab list
>
> shows multiple lines containing "cifs/pre01svdeb01 at mydom.AT"
>
> also with "aes256-cts-hmac-sha1-96"
>
> when I look closer there are 2 sets of lines, three in uppercase like:
>
> 2 aes256-cts-hmac-sha1-96
> cifs/PRE01SVdeb01 at MYDOM.AT
>
> three in lower case:
>
> 2 aes256-cts-hmac-sha1-96
> cifs/pre01svdeb01 at MYDOM.AT
>
> - what should I do?
>
> This is samba Version 4.14.11-Debian.
>
> # Global parameters
> [global]
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> load printers = No
> log file = /var/log/samba/%m.log
> logon home = ""
> logon path = ""
> map to guest = Bad User
> max log size = 150000
> netbios name = SERVER
> printcap name = /dev/null
> realm = MYDOM.AT
> security = ADS
> template homedir = /mnt/samba/Daten/%U
> template shell = /bin/bash
> username map = /etc/samba/smbusers
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = BUERO
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:success = mkdir rmdir read pread write
> pwrite rename unlink
> full_audit:failure = connect
> full_audit:prefix = %u|%I|%m|%S
> idmap config buero:range = 10000-99999
> idmap config buero:backend = rid
> idmap config *:range = 2000-9999
> idmap config * : backend = tdb
> hosts allow = localhost 192.168.16. 172.32.99.
> map acl inherit = Yes
> printing = bsd
> vfs objects = acl_xattr
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Stefan G. Weichinger
2021-Dec-29 16:49 UTC
[Samba] Domain admin can't access share on samba dm-server
Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba:> First.. > > Use FQDN's in you shares.But ... it worked like this for years ;-)> Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows) > https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-defaultI am not guest, I am the domain admin in this context.> klist -ke shows? Can you show the full output.here you are: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc) 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5) 5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) 5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc) 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5) 2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96) 2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96) 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac) 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) 2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) 2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc) 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5) 2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96) 2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96) 2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac) 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc) 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5) 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) 2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) 3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) 3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) 3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)> For cifs (and nfs) you need the spn format like this. > cifs/hostname.internal.domain.tld at REALM.TLD > (net ads adds the REALM part automaticly) > > If your host is using an CNAME for cifs then you need to add, > cifs/cname.internal.domain.tld at REALM.TLD alsoAnd WHY do I have to set that up again? I understand that kerberos has to work behind the curtains, but it doesn't sound efficient to me that this isn't negotiated by the machines themselves. I mean, in the start I didn't do that either, correct?> And its really adviced to give these server a PTR record.There is a PTR> How i do it. > And ALWAYS backup you krb5.keytab file first. > Dont know why sometimes ( in my case ) the KNVO is off > When that happens i restore the original keytab file. > > cp /etc/krb5.keytab{,.backup} > kinit Administrator > net ads keytab add_update_ads cifs/$(hostname -f) > > Removing wrong entries i do like this, and maybe > someone has beter ideas on this, please add it.. > > !! MAKE THAT BACKUP FIRST !! > ktutil > rkt /etc/krb5.keytab > ? For help. > wkt /etc/krb5.keytab.new > > cp /etc/krb5.keytab.new /etc/krb5.keytab > > !! If you write the keytab as show above directly into /etc/krb5.keytab > You get everything double. > > When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are wrong. > delent 21 << only one you need.. Just repeat it untill its all gone. > > Hope this helped a bit.Sure, thanks. I see the path but have to think twice before I touch this production file server. users use it 24/7 ... my access from that windows server isn't that important right now (transferred my ISO via another server ...).> Ps. Im picky but.. >> idmap config buero:range = 10000-99999 >> idmap config buero:backend = rid > > bero should be BUEROsigh I showed the smb.conf-files of that site maybe 10 times here and every time I get another parameter pointed out as wrong. I wonder if it ever gets finished ;-) Thanks anyway, I appreciate it!