All, using Samba as an AD (2k12) domain member in Stretch (2:4.5.12+dfsg-2+deb9u4) with tdb as default and rid as domain backend. No overlapping. Everything works fine. Setup was done as in the wiki [1]. If you're connecting from a Windows 10 client and do not add dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes to smb.conf, the SMB3_11 connection is closed, as soon as the service ticket expires. 1. Some websites say, service tickets are only verified when connecting to a server. Is this still true? Why is the connection timing out then? Which tickets does the server renew? Machine account? Is this because of mutual authentication or encryption? I thought tickets were handled by the client? 2. Is this related to bug 13197 [2]? That's the only thing I could find about this status code and it seems it's not fixed in version 4.5 in Debian. 3. Default kerberos method is secrets only - use only the secrets.tdb for ticket verification. Why is this not sufficient? Why is the /etc/krb5.keytab needed? It's not mentioned in the wiki [1], but in [3]. - Chris [1] https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member [2] https://bugzilla.samba.org/show_bug.cgi?id=13197 [3] https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
Marco Gaiarin
2018-Dec-17 13:29 UTC
[Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member
Mandi! Chris via samba In chel di` si favelave...> 3. Default kerberos method is secrets only - use only the secrets.tdb > for ticket verification. Why is this not sufficient? Why is > the /etc/krb5.keytab needed? It's not mentioned in the wiki [1], but in > [3]. > [3] https://wiki.samba.org/index.php/Samba_Member_Server_TroubleshootingSeems strange also to me. reading the manpage: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab are a bit incoherent settings; 'dedicated keytab file' is used if an only if 'kerberos method = dedicated keytab'. The page have to be cleanded up a bit? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Dec-17 14:38 UTC
[Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member
Hm,, Good question Marco, now after re-reading it, i understand what you trying to say. How i did read it and understand it. dedicated keytab file (G) Specifies the absolute path to the kerberos keytab file when `kerberos method` is set to "dedicated keytab". When the kerberos method is in "dedicated keytab" mode, dedicated keytab file must be set to specify the location of the keytab file. So you options are kerberos method = secret only ( the default.) so no changes in smb.conf by default. kerberos method = system keytab assumes the system default ( /etc/krb5.keytab ) kerberos method = dedicated keytab can be : AnyPath/to/keytabfile. kerberos method = secrets and keytab - use the secrets.tdb first, then the system keytab I think we should define "system keytab" a bit beter in smb.conf. So yeah, you might say, `kerberos method = secrets and keytab` should work fine without the setting : dedicated keytab file If thats not the case then we need 2 of these : kerberos method = secrets and keytab kerberos method = secrets and system-keytab kerberos method = secrets and dedicate-keytab What i think, but i cant see it in the code, maybe Rowland can tell this. If we use : kerberos method = secrets and keytab system keytab and dedicated keytab are providing the same thing, the location to the keytab file. And (from man smb.conf ) The major difference between "system keytab" and "dedicated keytab" is that the latter Method relies on kerberos to find the correct keytab entry instead of filtering based on expected principals. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 17 december 2018 14:29 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member > > Mandi! Chris via samba > In chel di` si favelave... > > > 3. Default kerberos method is secrets only - use only the > secrets.tdb > > for ticket verification. Why is this not sufficient? Why is > > the /etc/krb5.keytab needed? It's not mentioned in the wiki > [1], but in > > [3]. > > [3] > https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting > > Seems strange also to me. reading the manpage: > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > are a bit incoherent settings; 'dedicated keytab file' is used if an > only if 'kerberos method = dedicated keytab'. > > The page have to be cleanded up a bit? > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2018-Dec-17 15:08 UTC
[Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member
On Mon, 17 Dec 2018 15:38:02 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hm,, > > Good question Marco, now after re-reading it, i understand what you > trying to say. How i did read it and understand it. > > dedicated keytab file (G) > Specifies the absolute path to the kerberos keytab file when > `kerberos method` is set to "dedicated keytab". When the kerberos > method is in "dedicated keytab" mode, dedicated keytab file must be > set to specify the location of the keytab file. > > So you options are > kerberos method = secret only ( the default.) > so no changes in smb.conf by default. > kerberos method = system keytab > assumes the system default ( /etc/krb5.keytab )Sorry, but no it doesn't ;-), the 'system keytab' is by default in memory.> kerberos method = dedicated keytab > can be : AnyPath/to/keytabfile. > kerberos method = secrets and keytab - use the secrets.tdb first, > then the system keytab > > I think we should define "system keytab" a bit beter in smb.conf.You are probably right Louis, want to make this your first patch as a Samba team member ?> > So yeah, you might say, `kerberos method = secrets and keytab` should > work fine without the setting :Yes it will, but anything else that needs an actual keytab wont.> dedicated keytab file If thats not > the case then we need 2 of these : kerberos method = secrets and > keytab kerberos method = secrets and system-keytab kerberos method > secrets and dedicate-keytab > > What i think, but i cant see it in the code, maybe Rowland can tell > this.Just did ;-) Rowland
L.P.H. van Belle
2018-Dec-17 15:54 UTC
[Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member
Hai guys,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: maandag 17 december 2018 16:08 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member > > On Mon, 17 Dec 2018 15:38:02 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hm,, > > > > Good question Marco, now after re-reading it, i understand what you > > trying to say. How i did read it and understand it. > > > > dedicated keytab file (G) > > Specifies the absolute path to the kerberos keytab file when > > `kerberos method` is set to "dedicated keytab". When the kerberos > > method is in "dedicated keytab" mode, dedicated keytab file must be > > set to specify the location of the keytab file. > > > > So you options are > > kerberos method = secret only ( the default.) > > so no changes in smb.conf by default. > > kerberos method = system keytab > > assumes the system default ( /etc/krb5.keytab ) > > Sorry, but no it doesn't ;-), the 'system keytab' is by default in memory.Ok, but then, with the setting, `kerberos method = secrets and keytab` it's only more confusing. A small re-cap. secrets only - use only the secrets.tdb for ticket verification (default) - this is clear how its used. system keytab - use only the system keytab for ticket verification - this description here might be better off with something like this. system keytab - use only the system (in memory) keytab for ticket verification. dedicated keytab - use a dedicated keytab for ticket verification (preffered the OS default) - ( for debian/ubuntu /etc/krb5.keytab ) secrets and keytab - use the secrets.tdb first, then the system (in memory) keytab But now i can't explain the mix of `dedicated keytab` and `secrets and keytab` anymore. Here : secrets and keytab Keytab points to in-memory and/or file keytab?? , at least thats how i thought it did work.> > > kerberos method = dedicated keytab > > can be : AnyPath/to/keytabfile. > > kerberos method = secrets and keytab - use the secrets.tdb first, > > then the system keytab > > > > I think we should define "system keytab" a bit beter in smb.conf. > > You are probably right Louis, want to make this your first patch as a > Samba team member ?Well thats maybe a bit too early.. ;-) learn about gitlab more first. And if its happens, you be the first to review my typos. :-))> > > > > So yeah, you might say, `kerberos method = secrets and keytab` should work fine without the setting : > > Yes it will, but anything else that needs an actual keytab wont.In this line "method = secrets and keytab" The word `keytab` referres to ? Memory keytab or file, or both. Because it looks like only memory but it does use the /etc/krb5.keytab also. So this is not correctly defined.. and since im not not sure anymore how it uses the combination of the settings, i need to understand the combination better for before i can describe it. Following that part of code is to hard for me.> > > > dedicated keytab file If thats not > > the case then we need 2 of these : kerberos method = secrets and > > keytab kerberos method = secrets and system-keytab kerberos method > > secrets and dedicate-keytab > > > > What i think, but i cant see it in the code, maybe Rowland can tell > > this. > > Just did ;-)Thanks, must helpfull for me at least. ;-)> > Rowland >Louis
On Mon, 17 Dec 2018 01:19:54 +0100 Chris via samba wrote:> If you're connecting from a Windows 10 client and do not add > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > > to smb.conf, the SMB3_11 connection is closed, as soon as the service > ticket expires.They're also closed with those lines. Louis' stable stretch 4.8 package isn't affected. I'll use NTLM now. It's still supported by Win10. Keep it simple stupid.
Peter Eriksson
2018-Dec-24 01:05 UTC
[Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member
I’m not sure if it will help you but we’re seeing something similar that I call the “10 hours problem” here. On any Samba - after 4.7.6 (we’re currently trying out 4.9.4 but still no go) - at 10 hours after it (smbd & winbindd) was restarted it new connections often (but not 100% all the time, but we think it is related to the number of connections, or active connections, or how many are encrypted or something, since we’re not seeing it on the test servers with zero or just one or two connections). We are running a monitoring system that tries to connect to the Samba server 24h/day every minute and we graph the response times. For 4.7.6 and earlier we see a short period (0-30seconds) where connections are denied, but any later version we see at least multi-minute login denials. So I wrote a monitoring script that we run regularly (and every 2 minute around the time when we most often see this happeningen) and if it detects three failed connects (timeout of 20s and then sleep 5s before testing again) then it simply kills all winbindd daemons and restart them - and then things start to work again. Please find our watchdog script included (as an unencoded file just for some historical fun, use “uudecode” to decode :). We currently run it from cron like this since we always restart both smbd & winbindd at 07:00 every day, we normally see these problems at 17:00 and 03:00...> 1,5,10 * * * * /liu/sbin/samba-watchdog -vYou want to create a /liu/etc/samba-watchdog.ini file containing lines sort of like:> username = testuser > password = somesecretpasswod > domain = YOURADDOMAINIt by default will try to connect using NTLM authentication (but could be modified to also try Kerberos) and then connect to a share on //localhost/testuser (the username) using smbclient. It will send emails to root on the local machine (via cron) that will look something like this:> /liu/sbin/samba-watchdog: Notice: SMB connection to //hostname/testuser timed out > Sun Dec 23 17:01:00 CET 2018 > /liu/sbin/samba-watchdog: Notice: SMB connection to //hostname/testuser timed out > Sun Dec 23 17:01:20 CET 2018 > /liu/sbin/samba-watchdog: Notice: SMB connection to //hostname/testuser timed out > Sun Dec 23 17:01:40 CET 2018 > /liu/sbin/samba-watchdog: Notice: Terminating winbindd processes: 71208 71202 71196 71193 71190 71189 > /liu/sbin/samba-watchdog: Notice: Forcibly (SIGKILL) terminating remaining winbindd processes: 71196 > /liu/sbin/samba-watchdog: Notice: Starting winbindd daemons(Originally we restarted after the first attempt failed but we wanted to really make sure things we “down” (in case of something temporarily happening) before killing winbindd and restarting those). - Peter begin 644 samba-watchdog M(R$O8FEN+VMS:`HC"B,@<V%M8F$M=V%T8VAD;V<L('9E<G-I;VX@,2XX"B,* M(R!#;W!Y<FEG:'0@*&,I(#(P,3@@4&5T97(@17)I:W-S;VX@/'!E=&5R+G at N M97)I:W-S;VY`;&EU+G-E/@HC"B, at 36]N:71O<G,@=&AA="!C;VYN96-T:6]N M<R!T;R!386UB82!D;V5S;B=T('1A:V4@=&]O(&QO;F<@86YD"B,@<F5S=&%R M=',@=VEN8FEN9&0@:68@:70 at 9&5T96-T<R!P<F]B;&5M<RX*(PH*4$%42#TO M8FEN.B]U<W(O8FEN"F5X<&]R="!0051("@I304U"041)4CTB+VQI=2(*4TU" M0TQ)14Y4/2(D>U-!34)!1$E2?2]B:6XO<VUB8VQI96YT(@I724Y"24Y$1#TB M)'M304U"041)4GTO<V)I;B]W:6YB:6YD9"(*4TU"1#TB)'M304U"041)4GTO M<V)I;B]S;6)D(@H*3$]'1DE,13TB+W9A<B]L;V<O<V%M8F$M=V%T8VAD;V<N M;&]G(@I435!&24Q%/2(O=&UP+W-A;6)A+7=A=&-H9&]G+B0D(@I$045-3TY3 M/2)W:6YB:6YD9"(*05542$9)3$4](B]L:74O971C+W-A;6)A+7=A=&-H9&]G M+FEN:2(*0T]2141)4CTB+W9A<B]C;W)E<R(*3$]#2T9)3$4](B]V87(O<G5N M+W-A;6)A+7=A=&-H9&]G+FQO8VLB"E-%4E9%4CTB8'5N86UE("UN8"(*4TA! M4D4](B(*"E9%4D)/4T4];F\*5$E-14]55#TQ-0I$4EE254X];F\*1T-/4D4] M;F\*4TQ%15`]-0I,3T-+140];F\*"@IU<V%G92 at I('L*8V%T(#P\14]&"E5S M86=E.B`D,"!;/&]P=&EO;G,^72!;/'-H87)E/ET*"D]P=&EO;G,Z"B`@("UH M?"TM:&5L<"`@("`@("`@("`@("`@("`@($1I<W!L87D@=&AI<R!I;F9O<FUA M=&EO;@H@("`M;GPM+6YO+7)E<W1A<G0@("`@("`@("`@("!$;R!N;W0@<F5S M=&%R="!D865M96]N<R!;4F5S=&%R=#H@)'M$4EE254Y]70H@("`M=GPM+79E M<F)O<V4@("`@("`@("`@("`@("!"92!V97)B;W-E(%M697)B;W-E.B`D>U9% M4D)/4T5]70H@("`M9WPM+6=C;W)E("`@("`@("`@("`@("`@("!&;W)C92!C M;W)E(&1U;7!S(&]F(')U;FYI;F<@=VEN8FEN9&0 at 9&%E;6]N<PH@("`M1WPM M+6=C;W)E+6%L;"`@("`@("`@("`@("!&;W)C92!C;W)E(&1U;7!S(&]F(&%L M;"!R=6YN:6YG(&1A96UO;G,*("`@+41\+2UD865M;VYS(#QL:7-T/B`@("`@ M("`@1&%E;6]N<R!T;R!M;VYI=&]R(&%N9"!G970 at 8V]R92!D=6UP<R!F<F]M M(%M$865M;VYS.B`D>T1!14U/3E-]70H@("`M2'PM+6AO<W0@/&YA;64^("`@ M("`@("`@("!397)V97(@=&\@8V]N;F5C="!T;R!;2&]S=#H@)'M315)615)] M70H@("`M0WPM+6-O<F5D:7(@/&1I<CX@("`@("`@("!$:7)E8W1O<GD@=&\@ M<W1O<F4 at 8V]R92!D=6UP(&9I;&5S(%M$:7)E8W1O<GDZ("1[0T]2141)4GUM"B`@("U4?"TM=&EM96]U="`\<V5C;VYD<SX@("`@($-O;FYE8W1I;VX at 871T M96UP="!T:6UE;W5T(%M4:6UE;W5T.B`D>U1)345/551]70H@("`M07PM+6%U M=&AF:6QE(#QF:6QE/B`@("`@("!#<F5D96YT:6%L<R!D871A(&9I;&4 at 6T9I M;&4Z("1[05542$9)3$5]70H@("`M4WPM+7-L965P(#QS96-O;F1S/B`@("`@ M("!396-O;F1S('1O('-L965P(&)E='=E96X at 8V]N;F5C=&EO;B!A='1E;7!T M<R!;4VQE97`Z("1[4TQ%15!]70I%3T8*?0H*"F-L96%N=7`H*2!["B`@("!I M9B!;("(D3$]#2T5$(B`]('EE<R!=.R!T:&5N"B`@("`@("`@<FT at +68@(B1, M3T-+1DE,12(*("`@(&9I"@H@("`@<FT at +68@(B1435!&24Q%(@I]"@H*;&]C M:R at I('L*("`@(%1%35!,3T-+/2(D3$]#2T9)3$4N)"0B"B`@("!E8VAO("(D M)"(@/B(D5$5-4$Q/0TLB"B`@("!I9B`A(&QN("(D5$5-4$Q/0TLB("(D3$]# M2T9)3$4B.R!T:&5N"B`@("`@("`@96-H;R`B)#`Z($5R<F]R.B`D>TQ/0TM& M24Q%?3H at 1F%I;'5R92!T<GEI;F<@=&\@87%U:7)E(&QO8VL at 9FEL92`M(&=I M=FEN9R!U<"(@/B8R"B`@("`@("`@97AI="`Q"B`@("!F:0H@("`@3$]#2T5$ M/7EE<PH@("`@<FT at +68@(B1414U03$]#2R(*?0H*"G1R>5]C;VYN96-T*"D@ M>PH@("`@9&%T92`^(B1435!&24Q%(@H@("`@=&EM96]U="`B)%1)345/550B M("(D4TU"0TQ)14Y4(B`M="(D5$E-14]55"(@+6U334(S("U!(B1!551(1DE, M12(@+6-Q("(D,2(@/CXB)%1-4$9)3$4B(#(^)C$*("`@(%)#/2(D/R(*("`@ M(&EF(%L@)%)#("$](#`@73L@=&AE;@H@("`@("`@(&EF(%L@)%9%4D)/4T4@ M/2!Y97, at 73L@=&AE;@H@("`@("`@("`@("!I9B!;("120R`](#$R-"!=.R!T M:&5N"B`@("`@("`@("`@("`@("!E8VAO("(D,#H at 3F]T:6-E.B!334(@8V]N M;F5C=&EO;B!T;R`O+R1[4T525D52?2\D>U-(05)%?2!T:6UE9"!O=70B(#XF M, at H@("`@("`@("`@("!E;'-E"B`@("`@("`@("`@("`@("!E8VAO("(D,#H@ M3F]T:6-E.B!334(@8V]N;F5C=&EO;B!T;R`O+R1[4T525D52?2\D>U-(05)% M?2!F86EL960@=VET:"!E>&ET(&-O9&4@)%)#(B`^)C(*("`@("`@("`@("`@ M9FD*("`@("`@("`@("`@8V%T("(D5$U01DE,12(@/B8R"B`@("`@("`@9FD* M("`@("`@("!C870@(B1435!&24Q%(B`^/B(D3$]'1DE,12(*("`@(&9I"B`@ M("!R;2`M9B`B)%1-4$9)3$4B"B`@("!R971U<FX@)%)#"GT*"@IG971?<&ED M<R at I('L*("`@('!G<F5P("UX("0Q('P@='(@)UQN)R`G("<*?0H*"F1O7V=C M;W)E*"D@>PH@("`@1$%413TB8&1A=&4@)RLE62TE;2TE9"=@(@H@("`@1$E2 M/2(D0T]2141)4B\D,2XD1$%412(*("`@(&EF(%L@(2`M9"`B)$1)4B(@73L@ M=&AE;@H@("`@("`@(&UK9&ER("(D1$E2(B!\?"!R971U<FX*"B`@("`@("`@ M4$E$4STB8&=E=%]P:61S("0Q8"(*("`@("`@("!I9B!;("(D4$E$4R(@(3T@ M(B(@73L@=&AE;@H)("`@(&EF(%L@)%9%4D)/4T4@/2!Y97, at 73L@=&AE;@H) M"65C:&\@+6X@(B0P.B!.;W1I8V4Z($=E='1I;F<@8V]R92!D=6UP<R!I;B`D M1$E2(&]F("0Q('!R;V-E<W-E<SHB(#XF, at H)("`@(&9I"@D@("`@9F]R(%!) M1"!I;B`D4$E$4SL at 9&\*"0EI9B!;("1615)"3U-%(#T@>65S(%T[('1H96X* M"0D@("`@96-H;R`M;B`B("10240B(#XF, at H)"69I"@D)9V-O<F4 at +6,@(B1$ M25(O8V]R92XD4$E$(B`B)%!)1"(*"2`@("!D;VYE"@D@("`@:68 at 6R`D5D52 M0D]312`]('EE<R!=.R!T:&5N"@D)96-H;R`B(B`^)C(*"2`@("!F:0H)9FD* M("`@(&9I"GT*"@IG971?<&ED<U]W86ET*"D@>PH@("`@4$E$4STB8&=E=%]P M:61S("0Q8"(*("`@(&EF(%L@(B102413(B`A/2`B(B!=.R!T:&5N"B`@("`@ M("`@<VQE97`@,0H@("`@("`@(%!)1%,](F!G971?<&ED<R`D,6`B"B`@("`@ M("`@:68 at 6R`B)%!)1%,B("$]("(B(%T[('1H96X*("`@("`@("`@("`@<VQE M97`@, at H@("`@("`@("`@("!02413/2)@9V5T7W!I9',@)#%@(@H@("`@("`@ M("`@("!I9B!;("(D4$E$4R(@(3T@(B(@73L@=&AE;@H@("`@("`@("`@("`@ M("`@<VQE97`@, at H@("`@("`@("`@("`@("`@4$E$4STB8&=E=%]P:61S("0Q M8"(*("`@("`@("`@("`@9FD*("`@("`@("!F:0H@("`@9FD*("`@(&5C:&\@ M)%!)1%,*?0H*"DU/4D4]>65S"G=H:6QE(%L@)$U/4D4@/2!Y97, at 73L@9&\* M("`@(&-A<V4@(B0Q(B!I;@H)+6A\+2UH96QP*0H@("`@("`@("`@("!U<V%G M90H)("`@(&5X:70@,`H)("`@(#L["@DM;GPM+6YO+7)E<W1A<G0I"@D@("`@ M1%)94E5./7EE<PH)("`@(#L["@DM=GPM+79E<F)O<V4I"@D@("`@5D520D]3 M13UY97,*"2`@("`[.PH)+6=\+2UG8V]R92D*"2`@("!'0T]213UW:6YB:6YD M9`H)("`@(#L["@DM1WPM+6=C;W)E+6%L;"D*"2`@("!'0T]213UA;&P*"2`@ M("`[.PH@("`@("`@("U!?"TM875T:&9I;&4I"B`@("`@("`@("`@($%55$A& M24Q%/2(D,B(*("`@("`@("`@("`@<VAI9G0*("`@("`@("`@("`@.SL*("`@ M("`@("`M1'PM+61A96UO;G,I"B`@("`@("`@("`@($1!14U/3E,](B0R(@H@ M("`@("`@("`@("!S:&EF=`H@("`@("`@("`@("`[.PH@("`@("`@("U(?"TM M:&]S="D*("`@("`@("`@("`@4T525D52/2(D,B(*("`@("`@("`@("`@<VAI M9G0*("`@("`@("`@("`@.SL*"2U#?"TM8V]R961I<BD*"2`@("!#3U)%1$E2 M/2(D,B(*"2`@("!S:&EF=`H)("`@(#L["@DM5'PM+71I;65O=70I"@D@("`@ M5$E-14]55#TB)#(B"@D@("`@<VAI9G0*"2`@("`[.PH)+5-\+2US;&5E<"D* M"2`@("!33$5%4#TB)#(B"@D@("`@<VAI9G0*"2`@("`[.PH@("`@("`@("U\ M+2TI"B`@("`@("`@("`@($U/4D4];F\*("`@("`@("`@("`@<VAI9G0*("`@ M("`@("`@("`@.SL*"2TJ*0H)("`@(&5C:&\@(B0P.B!%<G)O<CH@)#$Z($EN M=F%L:60@<W=I=&-H("AT<GD at +2UH96QP(&9O<B!U<V%G92!I;F9O<FUA=&EO M;BDB(#XF, at H)("`@(&5X:70@,0H)("`@(#L["@DJ*0H)("`@($U/4D4];F\* M"2`@("`[.PH@("`@97-A8PH@("`@:68 at 6R`D34]212`]('EE<R!=.R!T:&5N M"@ES:&EF=`H@("`@9FD*9&]N90H*"FEF(%L@(2`M>"`B)%--0D-,245.5"(@ M73L@=&AE;@H@("`@96-H;R`B)#`Z($5R<F]R.B`D>U--0D-,245.5'TZ($YO M('-U8V@@97AE8W5T86)L92!F:6QE(B`^)C(*("`@(&5X:70@,0IF:0H@("`@ M"FEF(%L@(2`M<B`B)$%55$A&24Q%(B!=.R!T:&5N"B`@("!E8VAO("(D,#H@ M17)R;W(Z("1[05542$9)3$5].B!#<F5D96YT:6%L<R!F:6QE(&YO="!R96%D M86)L92(@/B8R"B`@("!E>&ET(#$*9FD*"FEF(%L@(B0Q(B`]("(B(%T[('1H M96X*("`@(%-(05)%/2)@='(@+60@)R`G(#Q<(B1!551(1DE,15PB('P at 87=K M("U&/2`G*"0Q(#T](%PB=7-E<FYA;65<(BD@>W!R:6YT("0R?2=@(@IE;'-E M"B`@("!32$%213TB)#$B"F9I"@II9B!;("(D4T525D52(B`]("(B(%T[('1H M96X*("`@(&5C:&\@(B0P.B!%<G)O<CH at 3F\@<V5R=F5R(&1E9FEN960B(#XF M, at H@("`@97AI="`Q"F9I"@II9B!;("(D4TA!4D4B(#T@(B(@73L@=&AE;@H@ M("`@96-H;R`B)#`Z($5R<F]R.B!.;R!S:&%R92!D969I;F5D(B`^)C(*("`@ M(&5X:70@,0IF:0H*:68@(2!F9W)E<"`M<2`G<V%M8F%?<V5R=F5R7V5N86)L M93TB6453(B<@+V5T8R]R8RYC;VYF("]E=&,O<F,N8V]N9BYD+RH[('1H96X* M("`@(&5C:&\@(B0P.B!%<G)O<CH at 4V%M8F$@<V5R=F5R(&YO="!E;F%B;&5D M(&]N('1H:7,@<WES=&5M(B`^)C(*("`@(&5X:70@,0IF:0H@("`@"@IL;V-K M"G1R87`@(F-L96%N=7`B(#`*"G1R>5]C;VYN96-T("(O+R1[4T525D52?2\D M>U-(05)%?2(*4D,])#\*:68 at 6R`D4D,@/2`P(%T[('1H96X*("`@(&5X:70@ M,`IF:0H*(R!&86EL960@;VYC92`M('1R>2!A9V%I;B`U('-E8V]N9',@;&%T M97(*<VQE97`@(B133$5%4"(*"G1R>5]C;VYN96-T("(O+R1[4T525D52?2\D M>U-(05)%?2(*4D,])#\*:68 at 6R`D4D,@/2`P(%T[('1H96X*("`@(&EF(%L@ M)%9%4D)/4T4@/2!Y97, at 73L@=&AE;@H@("`@("`@(&5C:&\@(B0P.B!.;W1I M8V4Z(%--0B!C;VYN96-T:6]N('1O("\O)'M315)615)]+R1[4TA!4D5]($]+ M(&%T('-E8V]N9"!A='1E;7!T(B`^)C(*("`@(&9I"B`@("!E>&ET(#`*9FD* M"B, at 1F%I;&5D('1W:6-E("T@=')Y(&%G86EN(#4@<V5C;VYD<R!L871E<@IS M;&5E<"`B)%-,1450(@H*=')Y7V-O;FYE8W0@(B\O)'M315)615)]+R1[4TA! M4D5](@I20STD/PII9B!;("120R`](#`@73L@=&AE;@H@("`@:68 at 6R`D5D52 M0D]312`]('EE<R!=.R!T:&5N"B`@("`@("`@96-H;R`B)#`Z($YO=&EC93H@ M4TU"(&-O;FYE8W1I;VX@=&\@+R\D>U-%4E9%4GTO)'M32$%217T at 3TL@870@ M=&AI<F0 at 871T96UP="(@/B8R"B`@("!F:0H@("`@97AI="`P"F9I"@II9B!; M("1'0T]212`A/2!N;R!=.R!T:&5N"B`@("!F;W(@1$%%34].(&EN("1$045- M3TY3.R!D;PH@("`@("`@(&EF(%L@)$=#3U)%(#T at 86QL("UO("1'0T]212`] M("(D1$%%34].(B!=.R!T:&5N"B`@("`@("`@("`@(&1O7V=C;W)E("(D1$%% M34].(@H@("`@("`@(&9I"B`@("!D;VYE"F9I"@I02413/2)@9V5T7W!I9',@ M=VEN8FEN9&1@(@II9B!;("(D4$E$4R(@(3T@(B(@+6$@)%)#(#T@,3(T(%T[ M('1H96X*("`@(", at 3VYL>2!R97-T87)T(%=I;F)I;F0@:68@=V4 at 9V]T(&$@ M=&EM96]U=`H*("`@(&EF(%L@)$1265)53B`]('EE<R!=.R!T:&5N"@EE8VAO M("(D,#H at 3F]T:6-E.B!.3U0 at 5&5R;6EN871I;F<@=VEN8FEN9&0@<')O8V5S M<V5S(&1U92!T;R!D<GDM<G5N.B`D4$E$4R(@/B8R"B`@("`@("`@97AI="`P M"B`@("!F:0H@("`@("`@(`H@("`@:68 at 6R`D5D520D]312`]('EE<R!=.R!T M:&5N"@EE8VAO("(D,#H at 3F]T:6-E.B!497)M:6YA=&EN9R!W:6YB:6YD9"!P M<F]C97-S97,Z("102413(B`^)C(*("`@(&9I"@H@("`@:VEL;"`D4$E$4PH* M("`@(%!)1%,](F!G971?<&ED<U]W86ET('=I;F)I;F1D8"(*("`@(&EF(%L@ M(B102413(B`A/2`B(B!=.R!T:&5N"@EI9B!;("1615)"3U-%(#T@>65S(%T[ M('1H96X*"2`@("!E8VAO("(D,#H at 3F]T:6-E.B!&;W)C:6)L>2`H4TE'2TE, M3"D@=&5R;6EN871I;F<@<F5M86EN:6YG('=I;F)I;F1D('!R;V-E<W-E<SH@ M)%!)1%,B(#XF, at H)9FD*"6MI;&P at +3D@)%!)1%,*("`@("`@("!02413/2)@ M9V5T7W!I9'-?=V%I="!W:6YB:6YD9&`B"B`@("!F:0H*("`@(&EF(%L@(B10 M2413(B`A/2`B(B!=.R!T:&5N"B`@("`@("`@96-H;R`B)#`Z($9A=&%L.B!5 M;F%B;&4@=&\@=&5R;6EN871E(&%L;"!R=6YN:6YG('=I;F)I;F1D(&1A96UO M;G, at +2!G:79I;F<@=7`B(#XF, at H@("`@("`@(&5X:70@,0H@("`@9FD*9FD* M"B,@"B, at 36%K92!S=7)E('=I;F)D9"!I<R!R=6YN:6YG(&%N9"!R97-T87)T M(&ET(&EF(&YO=`HC"FEF(%L@(B102413(B`]("(B(%T[('1H96X*("`@(&EF M(%L@)$1265)53B`]('EE<R!=.R!T:&5N"B`@("`@("`@:68 at 6R`D5D520D]3 M12`]('EE<R!=.R!T:&5N"B`@("`@("`@("`@(&5C:&\@(B0P.B!.;W1I8V4Z M($Y/5"!297-T87)T:6YG('=I;F)I;F1D(&1A96UO;G, at 9'5E('1O(&1R>2UR M=6XB(#XF, at H@("`@("`@(&9I"B`@("`@("`@97AI="`P"B`@("!F:0H@("`@ M"B`@("!I9B!;("1615)"3U-%(#T@>65S(%T[('1H96X*("`@("`@("!E8VAO M("(D,#H at 3F]T:6-E.B!3=&%R=&EN9R!W:6YB:6YD9"!D865M;VYS(B`^)C(* M("`@(&9I"B`@("`*("`@("(D>U=)3D))3D1$?2(@+2UD865M;VX*9FD*"@HC M(`HC($UA:V4@<W5R92!S;6)D(&ES(')U;FYI;F<@86YD(')E<W1A<G0@:70@ M:68@;F]T"B,*4$E$4STB8&=E=%]P:61S7W=A:70@<VUB9&`B"FEF(%L@(B10 M2413(B`]("(B(%T[('1H96X*("`@(&EF(%L@)$1265)53B`]('EE<R!=.R!T M:&5N"B`@("`@("`@:68 at 6R`D5D520D]312`]('EE<R!=.R!T:&5N"B`@("`@ M("`@("`@(&5C:&\@(B0P.B!.;W1I8V4Z($Y/5"!3=&%R=&EN9R!S;6)D(&1A M96UO;G, at 9'5E('1O(&1R>2UR=6XB(#XF, at H@("`@("`@(&9I"B`@("`@("`@ M97AI="`P"B`@("!F:0H@("`@"B`@("!I9B!;("1615)"3U-%(#T@>65S(%T[ M('1H96X*("`@("`@("!E8VAO("(D,#H at 3F]T:6-E.B!3=&%R=&EN9R!S;6)D M(&1A96UO;G,B(#XF, at H@("`@9FD*("`@(`H@("`@(B1[4TU"1'TB("TM9&%E /;6]N"F9I"@IE>&ET(#`* ` end> On 23 Dec 2018, at 06:25, Chris via samba <samba at lists.samba.org> wrote: > > On Mon, 17 Dec 2018 01:19:54 +0100 > Chris via samba wrote: > >> If you're connecting from a Windows 10 client and do not add >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = Yes >> >> to smb.conf, the SMB3_11 connection is closed, as soon as the service >> ticket expires. > > They're also closed with those lines. > > Louis' stable stretch 4.8 package isn't affected. > > I'll use NTLM now. It's still supported by Win10. > > Keep it simple stupid. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >