Sven Schwedas
2019-Jun-26 09:36 UTC
[Samba] Samba 4.10 member: SMB login no longer working
Overall domain architecture hasn't changed since my spring cleanup post earlier (I did sort out the krb5 packages and logging settings, though). To start the migration, I figured I'd first update the file servers, since they're the least critical component. Upgrade 4.5 ? 4.8, 4.8 ? 4.9, 4.9 ? 4.10 seemed to work fine each step. However, SMB logins either with smbclient or with Windows, Mac clients no longer work, generating the following error message:> [2019/06/26 11:24:13.015993, 3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2019/06/26 11:24:13.021148, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > [2019/06/26 11:24:13.021265, 1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > [2019/06/26 11:24:13.021469, 3] ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146 > [2019/06/26 11:24:13.022945, 3] ../../source3/smbd/server_exit.c:236(exit_server_common) > Server exit (NT_STATUS_END_OF_FILE)wbinfo -t says the domain join is fine, and logins via winbind work fine too, so I'm not what's causing this error. As far as I can see, all the login-related smb.conf changes didn't affect us, since we were already on the backwards compatible defaults. smb.conf:> [global] > deadtime = 15 > dns forwarder = 8.8.8.8 > kerberos method = system keytab > logging = syslog > realm = AD.TAO.AT > security = ADS > server string = Netzlaufwerke Graz > template homedir = /home/%U > template shell = /bin/bash > tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt > winbind use default domain = Yes > workgroup = AD> idmap config ad : unix_nss_info = yesThis was the only change that seemed necessary for a pure domain member like this.> idmap config ad : schema_mode = rfc2307 > idmap config ad : range = 4500-50000 > idmap config ad : backend = ad > idmap config * : range = 60000-61000 > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > acl group control = Yes > aio read size = 16384 > aio write size = 16384 > create mask = 0770 > directory mask = 0770 > force create mode = 0660 > force directory mode = 02770 > inherit acls = Yes > inherit owner = windows and unix > inherit permissions = Yes > read only = No > use sendfile = Yes > > > [homes] > comment = ~ > volume = nethome > > > [print$] > comment = Druckertreiber Windows > path = /srv/smb/Drucker/ > > > [printers] > browseable = No > comment = Drucker > path = /var/spool/samba > printable = Yes > > > [public-graz] > comment = S: > path = /srv/smb > vfs objects = recycle > volume = Graz > recycle:versions = yes > recycle:keeptree = yes-- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/d13ef8c5/signature.sig>
Rowland penny
2019-Jun-26 13:16 UTC
[Samba] Samba 4.10 member: SMB login no longer working
On 26/06/2019 10:36, Sven Schwedas via samba wrote:> Overall domain architecture hasn't changed since my spring cleanup post > earlier (I did sort out the krb5 packages and logging settings, though). > > To start the migration, I figured I'd first update the file servers, > since they're the least critical component. Upgrade 4.5 ? 4.8, 4.8 ? > 4.9, 4.9 ? 4.10 seemed to work fine each step. > > However, SMB logins either with smbclient or with Windows, Mac clients > no longer work, generating the following error message: > >> [2019/06/26 11:24:13.015993, 3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot) >> Selected protocol SMB2_10 >> [2019/06/26 11:24:13.021148, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> [2019/06/26 11:24:13.021265, 1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) >> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE >> [2019/06/26 11:24:13.021469, 3] ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex) >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146 >> [2019/06/26 11:24:13.022945, 3] ../../source3/smbd/server_exit.c:236(exit_server_common) >> Server exit (NT_STATUS_END_OF_FILE) > wbinfo -t says the domain join is fine, and logins via winbind work fine > too, so I'm not what's causing this error. As far as I can see, all the > login-related smb.conf changes didn't affect us, since we were already > on the backwards compatible defaults. > > smb.conf: > >> [global] >> deadtime = 15 >> dns forwarder = 8.8.8.8 >> kerberos method = system keytab >> logging = syslog >> realm = AD.TAO.AT >> security = ADS >> server string = Netzlaufwerke Graz >> template homedir = /home/%U >> template shell = /bin/bash >> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt >> winbind use default domain = Yes >> workgroup = AD >> idmap config ad : unix_nss_info = yes > This was the only change that seemed necessary for a pure domain member > like this. > >> idmap config ad : schema_mode = rfc2307 >> idmap config ad : range = 4500-50000 >> idmap config ad : backend = ad >> idmap config * : range = 60000-61000 >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> acl group control = Yes >> aio read size = 16384 >> aio write size = 16384 >> create mask = 0770 >> directory mask = 0770 >> force create mode = 0660 >> force directory mode = 02770 >> inherit acls = Yes >> inherit owner = windows and unix >> inherit permissions = Yes >> read only = No >> use sendfile = Yes >> >> >> [homes] >> comment = ~ >> volume = nethome >> >> >> [print$] >> comment = Druckertreiber Windows >> path = /srv/smb/Drucker/ >> >> >> [printers] >> browseable = No >> comment = Drucker >> path = /var/spool/samba >> printable = Yes >> >> >> [public-graz] >> comment = S: >> path = /srv/smb >> vfs objects = recycle >> volume = Graz >> recycle:versions = yes >> recycle:keeptree = yesI would remove these lines: dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = yes They only make sense on a DC I would also replace 'kerberos method = system keytab' with 'kerberos method = secrets and keytab' Rowland
L.P.H. van Belle
2019-Jun-26 13:32 UTC
[Samba] Samba 4.10 member: SMB login no longer working
Sven... What did you do. .. I thought, this was all done/fixed. ;-)> Failed to find > cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]You need to add the cifs/spn also to the AD and the keytab. https://wiki.samba.org/index.php/Generating_Keytabs Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: woensdag 26 juni 2019 15:16 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working > > On 26/06/2019 10:36, Sven Schwedas via samba wrote: > > Overall domain architecture hasn't changed since my spring > cleanup post > > earlier (I did sort out the krb5 packages and logging > settings, though). > > > > To start the migration, I figured I'd first update the file servers, > > since they're the least critical component. Upgrade 4.5 ??? > 4.8, 4.8 ??? > > 4.9, 4.9 ??? 4.10 seemed to work fine each step. > > > > However, SMB logins either with smbclient or with Windows, > Mac clients > > no longer work, generating the following error message: > > > >> [2019/06/26 11:24:13.015993, 3] > ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces > s_negprot) > >> Selected protocol SMB2_10 > >> [2019/06/26 11:24:13.021148, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > >> gss_accept_sec_context failed with [ Miscellaneous > failure (see text): Failed to find > cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > >> [2019/06/26 11:24:13.021265, 1] > ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI > nit_step) > >> gensec_spnego_server_negTokenInit_step: gse_krb5: > parsing NEG_TOKEN_INIT content failed (next[(null)]): > NT_STATUS_LOGON_FAILURE > >> [2019/06/26 11:24:13.021469, 3] > ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex) > >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: > idx[1] status[NT_STATUS_LOGON_FAILURE] || at > ../../source3/smbd/smb2_sesssetup.c:146 > >> [2019/06/26 11:24:13.022945, 3] > ../../source3/smbd/server_exit.c:236(exit_server_common) > >> Server exit (NT_STATUS_END_OF_FILE) > > wbinfo -t says the domain join is fine, and logins via > winbind work fine > > too, so I'm not what's causing this error. As far as I can > see, all the > > login-related smb.conf changes didn't affect us, since we > were already > > on the backwards compatible defaults. > > > > smb.conf: > > > >> [global] > >> deadtime = 15 > >> dns forwarder = 8.8.8.8 > >> kerberos method = system keytab > >> logging = syslog > >> realm = AD.TAO.AT > >> security = ADS > >> server string = Netzlaufwerke Graz > >> template homedir = /home/%U > >> template shell = /bin/bash > >> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt > >> winbind use default domain = Yes > >> workgroup = AD > >> idmap config ad : unix_nss_info = yes > > This was the only change that seemed necessary for a pure > domain member > > like this. > > > >> idmap config ad : schema_mode = rfc2307 > >> idmap config ad : range = 4500-50000 > >> idmap config ad : backend = ad > >> idmap config * : range = 60000-61000 > >> idmap_ldb:use rfc2307 = yes > >> idmap config * : backend = tdb > >> acl group control = Yes > >> aio read size = 16384 > >> aio write size = 16384 > >> create mask = 0770 > >> directory mask = 0770 > >> force create mode = 0660 > >> force directory mode = 02770 > >> inherit acls = Yes > >> inherit owner = windows and unix > >> inherit permissions = Yes > >> read only = No > >> use sendfile = Yes > >> > >> > >> [homes] > >> comment = ~ > >> volume = nethome > >> > >> > >> [print$] > >> comment = Druckertreiber Windows > >> path = /srv/smb/Drucker/ > >> > >> > >> [printers] > >> browseable = No > >> comment = Drucker > >> path = /var/spool/samba > >> printable = Yes > >> > >> > >> [public-graz] > >> comment = S: > >> path = /srv/smb > >> vfs objects = recycle > >> volume = Graz > >> recycle:versions = yes > >> recycle:keeptree = yes > > I would remove these lines: > > dns forwarder = 8.8.8.8 > > idmap_ldb:use rfc2307 = yes > > They only make sense on a DC > > I would also replace 'kerberos method = system keytab' with 'kerberos > method = secrets and keytab' > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Sven Schwedas
2019-Jun-26 14:02 UTC
[Samba] Samba 4.10 member: SMB login no longer working
On 26.06.19 15:32, L.P.H. van Belle via samba wrote:> Sven... > > What did you do. .. I thought, this was all done/fixed. ;-)I installed your packages, so naturally everything is your fault. ;) Setting> kerberos method = secrets and keytabas suggested by Rowland did the trick. Guess I was too overzealous in trying to merge the servers' different smb.conf files together.>> Failed to find >> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > You need to add the cifs/spn also to the AD and the keytab. > https://wiki.samba.org/index.php/Generating_Keytabs > > > Greetz, > > Louis > > > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: woensdag 26 juni 2019 15:16 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working >> >> On 26/06/2019 10:36, Sven Schwedas via samba wrote: >>> Overall domain architecture hasn't changed since my spring >> cleanup post >>> earlier (I did sort out the krb5 packages and logging >> settings, though). >>> >>> To start the migration, I figured I'd first update the file servers, >>> since they're the least critical component. Upgrade 4.5 ??? >> 4.8, 4.8 ??? >>> 4.9, 4.9 ??? 4.10 seemed to work fine each step. >>> >>> However, SMB logins either with smbclient or with Windows, >> Mac clients >>> no longer work, generating the following error message: >>> >>>> [2019/06/26 11:24:13.015993, 3] >> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces >> s_negprot) >>>> Selected protocol SMB2_10 >>>> [2019/06/26 11:24:13.021148, 1] >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >>>> gss_accept_sec_context failed with [ Miscellaneous >> failure (see text): Failed to find >> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >>>> [2019/06/26 11:24:13.021265, 1] >> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI >> nit_step) >>>> gensec_spnego_server_negTokenInit_step: gse_krb5: >> parsing NEG_TOKEN_INIT content failed (next[(null)]): >> NT_STATUS_LOGON_FAILURE >>>> [2019/06/26 11:24:13.021469, 3] >> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex) >>>> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: >> idx[1] status[NT_STATUS_LOGON_FAILURE] || at >> ../../source3/smbd/smb2_sesssetup.c:146 >>>> [2019/06/26 11:24:13.022945, 3] >> ../../source3/smbd/server_exit.c:236(exit_server_common) >>>> Server exit (NT_STATUS_END_OF_FILE) >>> wbinfo -t says the domain join is fine, and logins via >> winbind work fine >>> too, so I'm not what's causing this error. As far as I can >> see, all the >>> login-related smb.conf changes didn't affect us, since we >> were already >>> on the backwards compatible defaults. >>> >>> smb.conf: >>> >>>> [global] >>>> deadtime = 15 >>>> dns forwarder = 8.8.8.8 >>>> kerberos method = system keytab >>>> logging = syslog >>>> realm = AD.TAO.AT >>>> security = ADS >>>> server string = Netzlaufwerke Graz >>>> template homedir = /home/%U >>>> template shell = /bin/bash >>>> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt >>>> winbind use default domain = Yes >>>> workgroup = AD >>>> idmap config ad : unix_nss_info = yes >>> This was the only change that seemed necessary for a pure >> domain member >>> like this. >>> >>>> idmap config ad : schema_mode = rfc2307 >>>> idmap config ad : range = 4500-50000 >>>> idmap config ad : backend = ad >>>> idmap config * : range = 60000-61000 >>>> idmap_ldb:use rfc2307 = yes >>>> idmap config * : backend = tdb >>>> acl group control = Yes >>>> aio read size = 16384 >>>> aio write size = 16384 >>>> create mask = 0770 >>>> directory mask = 0770 >>>> force create mode = 0660 >>>> force directory mode = 02770 >>>> inherit acls = Yes >>>> inherit owner = windows and unix >>>> inherit permissions = Yes >>>> read only = No >>>> use sendfile = Yes >>>> >>>> >>>> [homes] >>>> comment = ~ >>>> volume = nethome >>>> >>>> >>>> [print$] >>>> comment = Druckertreiber Windows >>>> path = /srv/smb/Drucker/ >>>> >>>> >>>> [printers] >>>> browseable = No >>>> comment = Drucker >>>> path = /var/spool/samba >>>> printable = Yes >>>> >>>> >>>> [public-graz] >>>> comment = S: >>>> path = /srv/smb >>>> vfs objects = recycle >>>> volume = Graz >>>> recycle:versions = yes >>>> recycle:keeptree = yes >> >> I would remove these lines: >> >> dns forwarder = 8.8.8.8 >> >> idmap_ldb:use rfc2307 = yes >> >> They only make sense on a DC >> >> I would also replace 'kerberos method = system keytab' with 'kerberos >> method = secrets and keytab' >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190626/9f227e24/signature.sig>
L.P.H. van Belle
2019-Jun-26 14:25 UTC
[Samba] Samba 4.10 member: SMB login no longer working
Hai, And Omg... Your right, its my fault. :-/ I didnt say to you, you needed make the changes, to change what Rowland showed. Im really sorry.. ;-) when im in austria i'll buy you a beer. Or if you want teach you snowboarding.. I have an other guy in austria that cant ski/board. Im going to teach him also. .. So funny a dutch guy teaching to austria guys.. :-) And how is it running now, do you notice your network is running better after the big changes? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > Schwedas via samba > Verzonden: woensdag 26 juni 2019 16:02 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working > > On 26.06.19 15:32, L.P.H. van Belle via samba wrote: > > Sven... > > > > What did you do. .. I thought, this was all done/fixed. ;-) > > I installed your packages, so naturally everything is your fault. ;) > > Setting > > > kerberos method = secrets and keytab > > as suggested by Rowland did the trick. Guess I was too overzealous in > trying to merge the servers' different smb.conf files together. > > >> Failed to find > >> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab > >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > > You need to add the cifs/spn also to the AD and the keytab. > > https://wiki.samba.org/index.php/Generating_Keytabs > > > > > > Greetz, > > > > Louis > > > > > > > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Rowland penny via samba > >> Verzonden: woensdag 26 juni 2019 15:16 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no > longer working > >> > >> On 26/06/2019 10:36, Sven Schwedas via samba wrote: > >>> Overall domain architecture hasn't changed since my spring > >> cleanup post > >>> earlier (I did sort out the krb5 packages and logging > >> settings, though). > >>> > >>> To start the migration, I figured I'd first update the > file servers, > >>> since they're the least critical component. Upgrade 4.5 ??? > >> 4.8, 4.8 ??? > >>> 4.9, 4.9 ??? 4.10 seemed to work fine each step. > >>> > >>> However, SMB logins either with smbclient or with Windows, > >> Mac clients > >>> no longer work, generating the following error message: > >>> > >>>> [2019/06/26 11:24:13.015993, 3] > >> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces > >> s_negprot) > >>>> Selected protocol SMB2_10 > >>>> [2019/06/26 11:24:13.021148, 1] > >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > >>>> gss_accept_sec_context failed with [ Miscellaneous > >> failure (see text): Failed to find > >> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab > >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > >>>> [2019/06/26 11:24:13.021265, 1] > >> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI > >> nit_step) > >>>> gensec_spnego_server_negTokenInit_step: gse_krb5: > >> parsing NEG_TOKEN_INIT content failed (next[(null)]): > >> NT_STATUS_LOGON_FAILURE > >>>> [2019/06/26 11:24:13.021469, 3] > >> ../../source3/smbd/smb2_server.c:3201(smbd_smb2_request_error_ex) > >>>> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: > >> idx[1] status[NT_STATUS_LOGON_FAILURE] || at > >> ../../source3/smbd/smb2_sesssetup.c:146 > >>>> [2019/06/26 11:24:13.022945, 3] > >> ../../source3/smbd/server_exit.c:236(exit_server_common) > >>>> Server exit (NT_STATUS_END_OF_FILE) > >>> wbinfo -t says the domain join is fine, and logins via > >> winbind work fine > >>> too, so I'm not what's causing this error. As far as I can > >> see, all the > >>> login-related smb.conf changes didn't affect us, since we > >> were already > >>> on the backwards compatible defaults. > >>> > >>> smb.conf: > >>> > >>>> [global] > >>>> deadtime = 15 > >>>> dns forwarder = 8.8.8.8 > >>>> kerberos method = system keytab > >>>> logging = syslog > >>>> realm = AD.TAO.AT > >>>> security = ADS > >>>> server string = Netzlaufwerke Graz > >>>> template homedir = /home/%U > >>>> template shell = /bin/bash > >>>> tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt > >>>> winbind use default domain = Yes > >>>> workgroup = AD > >>>> idmap config ad : unix_nss_info = yes > >>> This was the only change that seemed necessary for a pure > >> domain member > >>> like this. > >>> > >>>> idmap config ad : schema_mode = rfc2307 > >>>> idmap config ad : range = 4500-50000 > >>>> idmap config ad : backend = ad > >>>> idmap config * : range = 60000-61000 > >>>> idmap_ldb:use rfc2307 = yes > >>>> idmap config * : backend = tdb > >>>> acl group control = Yes > >>>> aio read size = 16384 > >>>> aio write size = 16384 > >>>> create mask = 0770 > >>>> directory mask = 0770 > >>>> force create mode = 0660 > >>>> force directory mode = 02770 > >>>> inherit acls = Yes > >>>> inherit owner = windows and unix > >>>> inherit permissions = Yes > >>>> read only = No > >>>> use sendfile = Yes > >>>> > >>>> > >>>> [homes] > >>>> comment = ~ > >>>> volume = nethome > >>>> > >>>> > >>>> [print$] > >>>> comment = Druckertreiber Windows > >>>> path = /srv/smb/Drucker/ > >>>> > >>>> > >>>> [printers] > >>>> browseable = No > >>>> comment = Drucker > >>>> path = /var/spool/samba > >>>> printable = Yes > >>>> > >>>> > >>>> [public-graz] > >>>> comment = S: > >>>> path = /srv/smb > >>>> vfs objects = recycle > >>>> volume = Graz > >>>> recycle:versions = yes > >>>> recycle:keeptree = yes > >> > >> I would remove these lines: > >> > >> dns forwarder = 8.8.8.8 > >> > >> idmap_ldb:use rfc2307 = yes > >> > >> They only make sense on a DC > >> > >> I would also replace 'kerberos method = system keytab' > with 'kerberos > >> method = secrets and keytab' > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > Mit freundlichen Gr??en, / Best Regards, > Sven Schwedas, Systemadministrator > ??? sven.schwedas at tao.at | ??? +43 680 301 7167 > TAO Digital | Teil der TAO Beratungs- & Management GmbH > Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach > A8020 Graz | https://www.tao-digital.at > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Greetings, Sven Schwedas!> Overall domain architecture hasn't changed since my spring cleanup post > earlier (I did sort out the krb5 packages and logging settings, though).> To start the migration, I figured I'd first update the file servers, > since they're the least critical component. Upgrade 4.5 ? 4.8, 4.8 ? > 4.9, 4.9 ? 4.10 seemed to work fine each step.> However, SMB logins either with smbclient or with Windows, Mac clients > no longer work, generating the following error message:>> [2019/06/26 11:24:13.015993, 3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot) >> Selected protocol SMB2_10 >> [2019/06/26 11:24:13.021148, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]I've stumbled upon similar error on my mail server.> gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find MXS$@ADS.CCENTER.LAN(kvno 44) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]Out of the blue the Dovecot stopped authorizing users. No system settings were changed, so I was sure it's some timed issue. `net ads testjoin` and `wbinfo -t` both check ok'. Googling the network, I've stumbled upon suggestion of https://bugzilla.samba.org/show_bug.cgi?id=12262 and attempted `net ads changetrustpw` on the domain member out of pure desperation. Strangely enough, it solved the issue. -- With best regards, Andrey Repin Wednesday, August 21, 2019 0:40:41 Sorry for my terrible english...
L.P.H. van Belle
2019-Aug-21 06:43 UTC
[Samba] Samba 4.10 member: SMB login no longer working
Hai,
If did run : net ads changetrustpw
Then you did reset the "computer" password.
Can you post your smb.conf? ( of the problem member )
I suspect you mising parts like this.
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Andrey Repin via samba
> Verzonden: dinsdag 20 augustus 2019 23:50
> Aan: Sven Schwedas; samba at lists.samba.org
> CC: Andrey Repin
> Onderwerp: Re: [Samba] Samba 4.10 member: SMB login no longer working
>
> Greetings, Sven Schwedas!
>
> > Overall domain architecture hasn't changed since my spring
> cleanup post
> > earlier (I did sort out the krb5 packages and logging
> settings, though).
>
> > To start the migration, I figured I'd first update the file
servers,
> > since they're the least critical component. Upgrade 4.5 ???
> 4.8, 4.8 ???
> > 4.9, 4.9 ??? 4.10 seemed to work fine each step.
>
> > However, SMB logins either with smbclient or with Windows,
> Mac clients
> > no longer work, generating the following error message:
>
> >> [2019/06/26 11:24:13.015993, 3]
> ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_proces
> s_negprot)
> >> Selected protocol SMB2_10
> >> [2019/06/26 11:24:13.021148, 1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> >> gss_accept_sec_context failed with [ Miscellaneous
> failure (see text): Failed to find
> cifs/graz-file.ad.tao.at at AD.TAO.AT(kvno 100) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
> I've stumbled upon similar error on my mail server.
>
> > gss_accept_sec_context failed with [ Miscellaneous failure
> (see text): Failed to find MXS$@ADS.CCENTER.LAN(kvno 44) in
> keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
> Out of the blue the Dovecot stopped authorizing users. No
> system settings were
> changed, so I was sure it's some timed issue.
>
> `net ads testjoin` and `wbinfo -t` both check ok'.
>
> Googling the network, I've stumbled upon suggestion of
> https://bugzilla.samba.org/show_bug.cgi?id=12262 and attempted
> `net ads changetrustpw` on the domain member out of pure desperation.
> Strangely enough, it solved the issue.
>
>
> --
> With best regards,
> Andrey Repin
> Wednesday, August 21, 2019 0:40:41
>
> Sorry for my terrible english...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Apparently Analagous Threads
- Samba 4.10 member: SMB login no longer working
- Samba 4.10 member: SMB login no longer working
- Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown
- Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown
- Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown