samba - Jun 2018 - DM 3.6.25 -> 4.x

That domain member server worked fine for about 2 weeks until today.

Somehow the DNS-record didn't work anymore, I did a rejoin and added 
some kerberos-related lines to smb.conf

# 2 lines old
winbind cache time = 10
winbind use default domain = yes

# new lines
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes

created keytab, restarted etc

-

smbclient worked, right now I get:
  # smbclient  \\\\u1mycustomer\\IT -U sgw
Enter mycustomer\sgw's password:
gse_get_client_auth_token: gss_init_sec_context failed with [Unspecified 
GSS failure.  Minor code may provide more information: The ticket isn't 
for us](2529638947)
SPNEGO(gse_krb5) login failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE

-
[2018/06/30 20:53:32.297500,  1] 
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
   gss_accept_sec_context failed with [Unspecified GSS failure.  Minor 
code may provide more information: Request ticket server 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA kvno 277 not found 
in keytab; keytab is likely out of date]
[2018/06/30 20:53:32.372971,  1] 
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
   gss_accept_sec_context failed with [Unspecified GSS failure.  Minor 
code may provide more information: Request ticket server 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA kvno 277 not found 
in keytab; keytab is likely out of date]

-
# net ads keytab list
Vno  Type                                        Principal
   8  DES cbc mode with CRC-32 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA
   8  DES cbc mode with RSA-MD5 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA
   8  AES-128 CTS mode with 96-bit SHA-1 HMAC 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA
   8  AES-256 CTS mode with 96-bit SHA-1 HMAC 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA
   8  ArcFour with HMAC/md5 
cifs/U1mycustomer.mycustomer.intra at mycustomer.INTRA

-

I did some recreate of that keytab already (flush, create, restart samba 
... in several combos)

hm

any advice?

additional:

the krb5.conf from the former admin, I assume it could or should be 
boiled down:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
    ticket_lifetime = 24000
    clock_skew = 300
    default_realm = customer.INTRA
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

[realms]
    DOMAIN.LOCAL = {
        kdc = DC1.customer.INTRA:88
        admin_server = DC1.customer.INTRA:464
        default_domain = customer.INTRA
}

[domain_realm]
    .customer.INTRA = customer.INTRA
    customer.INTRA = customer.INTRA

--

[global]
unix charset = iso8859-15

security = ads
realm = customer.INTRA
workgroup = customer

netbios aliases = u1customer
server string = U1customer

winbind cache time = 10
winbind use default domain = yes
template homedir = /mnt/MSA2040/smb/Homes/%D/%U

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes

restrict anonymous = 2
domain master = no
local master = no
preferred master = no
invalid users = root bin daemon adm sync shutdown halt mail news \
		uucp
obey pam restrictions = yes

interfaces = 192.168.100.4/24 127.0.0.1
bind interfaces only = Yes

idmap config * : range = 3000-7999
idmap config * : backend = tdb
idmap config customer : range = 10000-20000
idmap config customer : backend = rid

# For ACL support on domain member
vfs objects = acl_xattr full_audit
map acl inherit = Yes
store dos attributes = Yes
nt acl support = No
force unknown acl user = Yes

unix extensions = no
follow symlinks= yes
wide links= yes

load printers = no
printcap name = /dev/null

# exe files

acl allow execute always = True

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir write pwrite rename unlink \
		     chmod fchmod chown fchown ftruncate
full_audit:facility = local5
full_audit:priority = notice

On Sat, 30 Jun 2018 21:02:57 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
> additional:
> 
> the krb5.conf from the former admin, I assume it could or should be 
> boiled down:
> # cat /etc/krb5.conf
The standard one for Samba is just this:

[libdefaults]
    default_realm = CUSTOMER.INTRA
    dns_lookup_realm = false
    dns_lookup_kdc = true

There doesn't seem to be anything wrong with your smb.conf.

Not sure if this is the 3.6.x machine or the 4.x.x, but which ever, I
would leave the domain, stop Samba, remove all the .ldb & .tdb (they
are probably in /var/lib/samba), delete /etc/krb5.keytab and then
rejoin the domain and restart Samba. This should create a
new /etc/krb5.keytab, check this contains the 'cifs' principals. If
it does, okay, if it doesn't, export a keytab on the DC with
samba-tool with  cifs/U1mycustomer.mycustomer.intra as the principal
and copy this to the Unix domain member. Then use 'ktutil' to
join /etc/krb5.keytab to the new keytab.

If needed, I can talk you through this ;-)

Rowland