On Mon, 2 Jul 2018 10:37:56 +0200 "Stefan G. Weichinger" <lists at xunil.at> wrote:> Am 2018-07-02 um 10:32 schrieb Rowland Penny: > > On Mon, 2 Jul 2018 09:49:52 +0200 > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> The message re-appeared though: > >> > >> gss_accept_sec_context failed with [Unspecified GSS failure. Minor > >> code may provide more information: Request ticket server > >> cifs/U1customer.customer.intra at customer.INTRA kvno 277 not found in > >> keytab; keytab is likely out of date] > > > > One question I don't remember asking, just where is that message > > appearing ? and is it the exact message (complete with headers, > > times etc. > > > > What I am trying to get at, is this a Samba problem or some form of > > mounting problem i.e. is something asking for a particular keytab > > that has gone out of date. > > It is appearing in /var/log/samba/log.smbd > > An additional issue today: > > *some* windows-7 PCs get the GPOs from the (windows-)DCs, but don't > get the samba-shares mounted. > > Might these gss-errors point at some mismatch here? > > The windows-admin is currently testing things via RDP on a problematic > client. > > - > > We ran *without* specific keytab on samba until saturday. Should I get > rid of that maybe?I thought the keytab was a long term one (you can hardly call 'since last Saturday' a long term ). You do not need /etc/krb5.keytab, Samba maintains another keytab in memory and this is very probably where your '277' is coming from. Rowland
Am 2018-07-02 um 11:10 schrieb Rowland Penny via samba:>> We ran *without* specific keytab on samba until saturday. Should I get >> rid of that maybe? > > I thought the keytab was a long term one (you can hardly call 'since > last Saturday' a long term ). You do not need /etc/krb5.keytab, Samba > maintains another keytab in memory and this is very probably where > your '277' is coming from.OK! I remove only the 1st line or both? dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab Restart services? Reload/SIGHUP only? - additional issue/question: the Server itself is called "samba" and has an netbios alias "u1customer" The GPOs all point at "u1customer" ... do we have to specifically announce/register that 2nd name in ADS somehow?
On Mon, 2 Jul 2018 12:03:15 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2018-07-02 um 11:10 schrieb Rowland Penny via samba: > > >> We ran *without* specific keytab on samba until saturday. Should I > >> get rid of that maybe? > > > > I thought the keytab was a long term one (you can hardly call 'since > > last Saturday' a long term ). You do not need /etc/krb5.keytab, > > Samba maintains another keytab in memory and this is very probably > > where your '277' is coming from. > > OK! > > I remove only the 1st line or both? > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytabBoth> > Restart services? Reload/SIGHUP only?Try a reload first.> > - > > additional issue/question: > > the Server itself is called "samba" and has an netbios alias > "u1customer" > > The GPOs all point at "u1customer" ... do we have to specifically > announce/register that 2nd name in ADS somehow?I think you will have to create a CNAME record in DNS. Rowland