Eugene M. Zheganin
2016-Sep-29 12:04 UTC
[Samba] Failed to find cifs/foo.bar in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
Hi. I'm using Samba 4.3.11 as a domain member on FreeBSD 10.x. Some of my users (around 1%) are experiencing problems from time to time, browsing this server's shares in Windows Explorer - it starts to ask for the password. It doesn't ask the password while accesssing it via it's IP address, and I see in its logs the following (when accessing it via its name): [2016/09/20 10:54:31.451826, 1] ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/wd.norma.com at NORMA.COM(kvno 2) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] (yup, I know norma.com isn't legitimate, but it's internal domain name). How can I debug and solve this ? norma.com is resolving from this machine, so does wd.norma.com. AD controller shows the cifs/wd.norma.com at NORMA.COM is mapped to the wd machine (it wasn't, I mapped it by hand, but nothing changed). I googled this issue a bit, but didn't find any appropriate solution. I'm not using a dedicated keytab for samba (I tried once, to solve this issue as was proposed in some article, but it made things even worse). Thanks. Eugene.
Jeremy Allison
2016-Sep-29 17:18 UTC
[Samba] Failed to find cifs/foo.bar in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
On Thu, Sep 29, 2016 at 05:04:24PM +0500, Eugene M. Zheganin via samba wrote:> Hi. > > I'm using Samba 4.3.11 as a domain member on FreeBSD 10.x. > > Some of my users (around 1%) are experiencing problems from time to > time, browsing this server's shares in Windows Explorer - it starts to > ask for the password. It doesn't ask the password while accesssing it > via it's IP address, and I see in its logs the following (when accessing > it via its name):When you access via IP then it's using NTLM so you don't get the krb5 issue you're seeing here.> [2016/09/20 10:54:31.451826, 1] > ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > Failed to find cifs/wd.norma.com at NORMA.COM(kvno 2) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > (yup, I know norma.com isn't legitimate, but it's internal domain name). > > How can I debug and solve this ? > norma.com is resolving from this machine, so does wd.norma.com. AD > controller shows the cifs/wd.norma.com at NORMA.COM is mapped to the wd > machine (it wasn't, I mapped it by hand, but nothing changed). > > I googled this issue a bit, but didn't find any appropriate solution. > I'm not using a dedicated keytab for samba (I tried once, to solve this > issue as was proposed in some article, but it made things even worse).Oh I've been trying to track down THIS EXACT ISSUE this week up at Microsoft !!!!! (But I can't get it to reproduce). It seems to be when winbindd is changing the machine password. As a work-around you can try setting "machine password timeout = 0" to prevent winbindd changing the password.
Possibly Parallel Threads
- Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
- SOLVED(I hope): Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
- Failed to find [principal](kvno 4) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
- SOLVED(I hope): Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
- Failed to find [principal](kvno 4) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]