Neil Price
2019-Apr-25 11:00 UTC
[Samba] AD member server, some users suddenly can only connect to shares via ip address
I've got some 4.6.5 member servers (debian stretch) that have been running flawlessly for many months. Suddenly a few users get a password prompt when connecting to shares. But they can connect with the ip address. (windows 7 and 10 clients). This happened on all of the member servers at the same time. The chances of getting the password prompt seem to increase if you are on a different subnet, especially a remote one (WAN connection). There are no firewalls between the subnets. The key error seems to be this gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/pta-cluster.ad.gibb.co.za at AD.GIBB.CO.ZA(kvno 81) in keytab MEMORY:cifs_srv__keytab (aes256-cts-hmac-sha1-96)] (pta-cluster.ad.gibb.co.za is the member server) I'm guessing this is a kerberos keytab error. I am using the default kerberos method in smb.conf. dig and dig -x show the expected results, as do nslookup on the windows clients My DC's are real Windows 2008 and 2012 servers.
Rowland Penny
2019-Apr-25 11:46 UTC
[Samba] AD member server, some users suddenly can only connect to shares via ip address
On Thu, 25 Apr 2019 13:00:37 +0200 Neil Price via samba <samba at lists.samba.org> wrote:> I've got some 4.6.5 member servers (debian stretch) that have been > running flawlessly for many months. Suddenly a few users get a > password prompt when connecting to shares. But they can connect with > the ip address. (windows 7 and 10 clients). This happened on all of > the member servers at the same time. > > The chances of getting the password prompt seem to increase if you > are on a different subnet, especially a remote one (WAN connection). > There are no firewalls between the subnets. > > The key error seems to be thisNo, the key error is that dns doesn't seem to be working, if you can connect via ipaddress, then you are not using kerberos. I would peer very closely at the dns servers and configuration. Rowland
Neil Price
2019-Apr-25 12:38 UTC
[Samba] AD member server, some users suddenly can only connect to shares via ip address
On 2019/04/25 13:46, Rowland Penny via samba wrote:> No, the key error is that dns doesn't seem to be working, if you can > connect via ipaddress, then you are not using kerberos. >The server is resolved just fine, it just gets a password prompt. The server can also resolve the client correctly. I see this issue came up before https://lists.samba.org/archive/samba/2016-September/203338.html
L.P.H. van Belle
2019-Apr-25 13:33 UTC
[Samba] AD member server, some users suddenly can only connect to shares via ip address
Hai, Small addition to Rowland question.> dig and dig -x show the expected results, as do nslookup on the windowsAnd you did test this again all you dns server? Or just random servers?> keytab MEMORY:cifs_srv__keytab (aes256-cts-hmac-sha1-96)]Did you check for the keytab list in on the member? klist -ket> On 2019/04/25 13:46, Rowland Penny via samba wrote: > > No, the key error is that dns doesn't seem to be working, if you can > > connect via ipaddress, then you are not using kerberos.You get the prompt because you clients are trying NTLM auth.. But best advice i can give you, upgrade samba and that probem is fixed. This is an old bug.. And same: https://lists.samba.org/archive/samba/2015-July/193009.html Fix was : written in smb.conf kerberos method = dedicated keytab changing to kerberos method = secrets and keytab https://lists.samba.org/archive/samba/2017-January/206132.html Fix : firewall change on windows. Greetz, Louis