rawi
2017-Jan-12 11:53 UTC
[Samba] Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
Ubuntu 16.04.1 LTS Samba Version 4.3.11-Ubuntu Hi I'm still testing and trying to migrate from a NT4 domain to samba4 AD With the test configuration: AD-DC + domain_member_file_server + Windows_8.1_client all is working well, inclusive server profiles But I have to migrate also some old WindowsXP_SP2 and Windows7 I could join the domain with the WindowsXP. I see it's record with ldbsearch. Trying to login with the WindowsXP I get an error on the domain_member_file_server in the file <IP-address-of-client.log> saying:>>>[2017/01/11 16:42:34.522067, 1] ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2017/01/11 16:42:34.522095, 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2017/01/11 16:42:34.525704, 1] ../lib/param/loadparm.c:1629(lpcfg_do_global_parameter) WARNING: The "syslog only" option is deprecated [2017/01/11 16:42:34.525743, 1] ../lib/param/loadparm.c:1629(lpcfg_do_global_parameter) WARNING: The "syslog" option is deprecated <<< hg004.humgen.0zone at HUMGEN.0ZONE is the domain_member_file_server It comes not that far, that the user name would be logged with an error... No error on the AD-DC concerning the name of the client machine or test user. Supposing some weak encryption of the old WindowsXP I tried on the domain_member_file_server to put allow_weak_crypto = true ...in it's krb5.conf, but with no success. ON THE AD-DC # net ads enctypes list hg004$ no msDS-SupportedEncryptionTypes attribute found Did someone got around such a behavior? Thanks rawi -- View this message in context: http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385.html Sent from the Samba - General mailing list archive at Nabble.com.
Marc Muehlfeld
2017-Jan-12 16:44 UTC
[Samba] Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
Hello, Am 12.01.2017 um 12:53 schrieb rawi via samba:> [2017/01/11 16:42:34.522067, 1] > ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > [2017/01/11 16:42:34.522095, 1] > ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) > SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURELooks like: https://bugzilla.samba.org/show_bug.cgi?id=12262 Regards, Marc
rawi
2017-Jan-16 17:07 UTC
[Samba] SOLVED(I hope): Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
Samba - General mailing list wrote>> [2017/01/11 16:42:34.522067, 1] >> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ Miscellaneous failure (see text): >> Failed to find cifs/hg004.humgen.0zone at HUMGEN.0ZONE(kvno 1) in keytab >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> [2017/01/11 16:42:34.522095, 1] >> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) >> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > > Looks like: https://bugzilla.samba.org/show_bug.cgi?id=12262Thank you Mark but it doesn't feels the same to me... In subsequent tests I wasn't able any more even to join. The first time was a lucky one, woodoo. I discovered, that the generated smb.conf was not enough for an AD-DC. Despite having: server role = active directory domain controller ... the default settings for: domain logons = no (?) domain master = auto (aka equally NO) local master = yes (not specifically mentioned in the generated smb.config) ... where enough for Windows7 and Windows8 (?), but not for Windows XP After setting domain master = YES ... I could join the WindowsXP and login. I also added then (to be sure ;) domain logons = YES. This seems now to work. I'll test tomorrow joins with another clients. What remains, is the question, why a "server role = active directory domain controller" doesn't enable "domain logons" by default? Regards rawi -- View this message in context: http://samba.2283325.n4.nabble.com/Difficulties-with-Windows-XP-failed-to-find-cifs-fileserver-y-z-Y-Z-in-keytab-arcfour-hmac-md5-tp4713385p4713527.html Sent from the Samba - General mailing list archive at Nabble.com.