On Mon, 2 Jul 2018 12:03:15 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2018-07-02 um 11:10 schrieb Rowland Penny via samba: > > >> We ran *without* specific keytab on samba until saturday. Should I > >> get rid of that maybe? > > > > I thought the keytab was a long term one (you can hardly call 'since > > last Saturday' a long term ). You do not need /etc/krb5.keytab, > > Samba maintains another keytab in memory and this is very probably > > where your '277' is coming from. > > OK! > > I remove only the 1st line or both? > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytabBoth> > Restart services? Reload/SIGHUP only?Try a reload first.> > - > > additional issue/question: > > the Server itself is called "samba" and has an netbios alias > "u1customer" > > The GPOs all point at "u1customer" ... do we have to specifically > announce/register that 2nd name in ADS somehow?I think you will have to create a CNAME record in DNS. Rowland
Am 2018-07-02 um 12:14 schrieb Rowland Penny via samba:>> I remove only the 1st line or both? >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab > > Bothdone>> Restart services? Reload/SIGHUP only? > > Try a reload first.done ... waiting for the clients to test now. So far I see no more ugly "gss ... 277" messages in log.smbd since the change. Ah, and while I type that ... they return.>> additional issue/question: >> >> the Server itself is called "samba" and has an netbios alias >> "u1customer" >> >> The GPOs all point at "u1customer" ... do we have to specifically >> announce/register that 2nd name in ADS somehow? > > I think you will have to create a CNAME record in DNS.OK, told the DC-admin to check that. Yesterday only one of the DCs returned a correct DNS-resolution, that has to be corrected IMO. To explain: the former admin has left the company and we have to "reverse engineer" his setup in a way ;-) thanks for helping
Am 02.07.2018 um 12:23 schrieb Stefan G. Weichinger via samba:> Am 2018-07-02 um 12:14 schrieb Rowland Penny via samba: > >>> I remove only the 1st line or both? >>> >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >> >> Both > > done > >>> Restart services? Reload/SIGHUP only? >> >> Try a reload first. > > done > > ... waiting for the clients to test now. > > So far I see no more ugly "gss ... 277" messages in log.smbd since the > change. Ah, and while I type that ... they return.Now for the records: in the last 3 days these messages really have disappeared until now. Maybe something has timed out in a way, a kerberos ticket or some kind of DNS-related info ... I don't know. As far I know now that samba-server is reachable via both its primary hostname and that one netbios alias (they use both in their hundreds of Hyperlinks they have in their word-docs ... oh my).