Hello, I'v to migrate one file server (old samba 3) to a new file samba 4, I thought I could use the parameters netbios aliases = oldsamba but it doesn't work, trying to access the share, with the old names, the credentials popup appears and the log show: gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba3 at lan.corp(kvno 107) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] unfortunately I have to keep active also the old server for which I thought I could solve with the dns. any help? thnx.
For this to work Below shows a A on the old hostname, correct ? With the "netbios alias" used in samba. Setup like this : The new server.. hostname => DNS A IP => DNS PTR Netbios Alias => CNAME OLDSERVERNAME And try again. Remove the A/PTR of the old hostname also. Only a CNAME is sufficient.. Note, the new server MUST have A and PTR setup. optional, set dns proxy = yes in smb.conf Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > banda bassotti via samba > Verzonden: donderdag 26 september 2019 11:13 > Aan: samba at lists.samba.org > Onderwerp: [Samba] access to share with dns alias hostname > > Hello, I'v to migrate one file server (old samba 3) to a new > file samba 4, > I thought I could use the parameters netbios aliases = oldsamba but it > doesn't work, trying to access the share, with the old names, the > credentials popup appears and the log show: > > gss_accept_sec_context failed with [ Miscellaneous failure > (see text): > Failed to find cifs/oldsamba3 at lan.corp(kvno 107) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > unfortunately I have to keep active also the old server for > which I thought > I could solve with the dns. > > any help? > > thnx. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 26/09/2019 10:25, L.P.H. van Belle via samba wrote:> For this to work > > Below shows a A on the old hostname, correct ? > With the "netbios alias" used in samba. > > Setup like this : > The new server.. > hostname => DNS A > IP => DNS PTR > Netbios Alias => CNAME OLDSERVERNAME > > And try again. > Remove the A/PTR of the old hostname also. > Only a CNAME is sufficient.. > > Note, the new server MUST have A and PTR setup.Will this work ? what about the kerberos ticket ?> > optional, set dns proxy = yes in smb.confIf unset, that is the default, but it is an 'nmbd' thing and I am not sure if 'nbt' on a DC has the required code. It sounds to me that the OP has classicupgraded an NT4-style domain to an AD domain. If so, then unless he has modified the smb.conf, the old machine will still be running as a PDC. I think he needs to give us more info. Starting with the smb.conf from the new AD DC and the old PDC. Rowland> > >
On 26/09/2019 11:44, banda bassotti wrote:> Hi, no it doesn't work: > > [2019/09/26 12:06:18.715651, ?1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > ? gss_accept_sec_context failed with [ Miscellaneous failure (see > text): Failed to find cifs/oldsamba at lan.corp(kvno 107) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > rowland, you are right we have before migrated the old samba3 domain > to a new UCS (univention).Then a question: Are you paying UCS anything ? If so, get them to sort it out for you, that is what you are paying for. If not, then post the smb.conf from the UCS machine and the smb.conf from the old machine. Rowland
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 26 september 2019 11:54 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] access to share with dns alias hostname > > On 26/09/2019 10:25, L.P.H. van Belle via samba wrote: > > For this to work > > > > Below shows a A on the old hostname, correct ? > > With the "netbios alias" used in samba. > > > > Setup like this : > > The new server.. > > hostname => DNS A > > IP => DNS PTR > > Netbios Alias => CNAME OLDSERVERNAME > > > > And try again. > > Remove the A/PTR of the old hostname also. > > Only a CNAME is sufficient.. > > > > Note, the new server MUST have A and PTR setup. > Will this work ? what about the kerberos ticket ?Yes, if you access a server through its CNAME, the CNAME will resolve back to the original hostname and its A and PTR record, which makes kerberos work.> > > > optional, set dns proxy = yes in smb.conf > > If unset, that is the default, but it is an 'nmbd' thing and I am not > sure if 'nbt' on a DC has the required code.As far i see here this only works on members.> > It sounds to me that the OP has classicupgraded an NT4-style > domain to > an AD domain. If so, then unless he has modified the > smb.conf, the old > machine will still be running as a PDC. > > I think he needs to give us more info.Yes, that also..> > Starting with the smb.conf from the new AD DC and the old PDC. > > Rowland > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi, below the required files: smb.conf of ucs master: [global] logging = file max log size = 0 netbios name = ucs server role = active directory domain controller name resolve order = wins host bcast server string = Univention Corporate Server server services = -dns -smb +s3fs -nbt server role check:inhibit = yes # use nmbd; to disable set samba4/service/nmb to s4 nmbd_proxy_logon:cldap_server=127.0.0.1 workgroup = LAN realm = LAN.CORP tls enabled = yes tls keyfile = /etc/univention/ssl/ ucsdc.comune.padova.it/private.key tls certfile = /etc/univention/ssl/ ucsdc.comune.padova.it/cert.pem tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem tls verify peer = ca_and_name ldap server require strong auth = no dsdb:schema update allowed = no max open files = 32808 ntlm auth = yes machine password timeout = 0 acl allow execute always = True # ignore interfaces in samba/register/exclude/interfaces bind interfaces only = yes interfaces = lo eth0 kccsrv:samba_kcc = False debug hirestimestamp = yes debug pid = yes winbind separator = + template shell = /bin/bash template homedir = /home/%D-%U idmap config * : backend = tdb idmap config * : range = 300000-400000 passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed* obey pam restrictions = yes encrypt passwords = yes spoolss: architecture = Windows x64 ; domain service lookup related settings preferred master = yes local master = yes domain master = yes wins support = yes ; miscellaneous settings, mostly for file services oplocks = yes large readwrite = yes read raw = yes write raw = yes max xmit = 65535 acl:search = no host msdfs = yes kernel oplocks = yes deadtime = 15 getwd cache = yes wide links = no store dos attributes = yes logon home = \\ucs\%U logon drive = I: logon path = \\ucs\%U\windows-profiles\%a preserve case = yes short preserve case = yes guest account = nobody map to guest = Bad User admin users = administrator join-backup usershare max shares = 0 smb.conf of new member server: [global] workgroup = LAN realm = lan.corp netbios name = fs1 netbios aliases = oldsamba3 security = ADS logging = file log level = 1 auth_audit:3 log file = /var/log/samba/%m.log idmap config *:backend = tdb idmap config *:range = 300000-400000 idmap config LAN:backend = rid idmap config LAN:range = 500000-700000 vfs objects = acl_xattr full_audit map acl inherit = Yes store dos attributes = Yes winbind separator = + winbind use default domain = yes winbind offline logon = yes winbind cache time = 3600 winbind enum groups = yes winbind enum users = yes template homedir = /home/%U usershare allow guests = yes usershare path username map = /etc/samba/user.map Il giorno gio 26 set 2019 alle ore 13:05 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 26/09/2019 11:44, banda bassotti wrote: > > Hi, no it doesn't work: > > > > [2019/09/26 12:06:18.715651, 1] > > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > gss_accept_sec_context failed with [ Miscellaneous failure (see > > text): Failed to find cifs/oldsamba at lan.corp(kvno 107) in keytab > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > > rowland, you are right we have before migrated the old samba3 domain > > to a new UCS (univention). > > Then a question: > > Are you paying UCS anything ? > > If so, get them to sort it out for you, that is what you are paying for. > > If not, then post the smb.conf from the UCS machine and the smb.conf > from the old machine. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >