samba - Sep 2016 - Failed to find cifs/foo.bar in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]

Hi.

I'm using Samba 4.3.11 as a domain member on FreeBSD 10.x.

Some of my users (around 1%) are experiencing problems from time to
time, browsing this server's shares in Windows Explorer - it starts to
ask for the password. It doesn't ask the password while accesssing it
via it's IP address, and I see in its logs the following (when accessing
it via its name):

[2016/09/20 10:54:31.451826,  1]
../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token)
  gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/wd.norma.com at NORMA.COM(kvno 2) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]

(yup, I know norma.com isn't legitimate, but it's internal domain name).

How can I debug and solve this ?
norma.com is resolving from this machine, so does wd.norma.com. AD
controller shows the cifs/wd.norma.com at NORMA.COM is mapped to the wd
machine (it wasn't, I mapped it by hand, but nothing changed).

I googled this issue a bit, but didn't find any appropriate solution.
I'm not using a dedicated keytab for samba (I tried once, to solve this
issue as was proposed in some article, but it made things even worse).

Thanks.
Eugene.

On Thu, Sep 29, 2016 at 05:04:24PM +0500, Eugene M. Zheganin via samba
wrote:
> Hi.
> 
> I'm using Samba 4.3.11 as a domain member on FreeBSD 10.x.
> 
> Some of my users (around 1%) are experiencing problems from time to
> time, browsing this server's shares in Windows Explorer - it starts to
> ask for the password. It doesn't ask the password while accesssing it
> via it's IP address, and I see in its logs the following (when
accessing
> it via its name):
When you access via IP then it's using NTLM so you
don't get the krb5 issue you're seeing here.
> [2016/09/20 10:54:31.451826,  1]
> ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token)
>   gss_accept_sec_context failed with [ Miscellaneous failure (see text):
> Failed to find cifs/wd.norma.com at NORMA.COM(kvno 2) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> 
> (yup, I know norma.com isn't legitimate, but it's internal domain
name).
> 
> How can I debug and solve this ?
> norma.com is resolving from this machine, so does wd.norma.com. AD
> controller shows the cifs/wd.norma.com at NORMA.COM is mapped to the wd
> machine (it wasn't, I mapped it by hand, but nothing changed).
> 
> I googled this issue a bit, but didn't find any appropriate solution.
> I'm not using a dedicated keytab for samba (I tried once, to solve this
> issue as was proposed in some article, but it made things even worse).
Oh I've been trying to track down THIS EXACT ISSUE this week
up at Microsoft !!!!! (But I can't get it to reproduce).

It seems to be when winbindd is changing the machine password.

As a work-around you can try setting "machine password timeout = 0"
to prevent winbindd changing the password.