banda bassotti
2019-Oct-08 19:35 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
hello, today the following problem occurred: [2019/10/08 09: 57: 23.568282, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [Miscellaneous failure (see text): Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab MEMORY: cifs_srv_keytab (arcfour-hmac-md5)] in my smb.conf I have the lines: kerberos method = dedicated keytab dedicated keytab file = /etc/samba/fs.keytab # net ads keytab list Vno Type Principal 108 arcfour-hmac-md5 cifs/fs-sahre at dom.corp 108 des-cbc-md5 cifs/fs-sahre at dom.corp 108 des-cbc-crc cifs/fs-sahre at dom.corp it worked for several days, to make it work I used ktutils and adding the spn again to have 109. my /etc/krb5.conf: [Libdefaults] default_realm = DOM.CORP default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1 allow_weak_crypto = true dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true kdc_timesync = 1 debug = false any help ? :)
Rowland penny
2019-Oct-08 19:58 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 08/10/2019 20:35, banda bassotti via samba wrote:> hello, today the following problem occurred: > > [2019/10/08 09: 57: 23.568282, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [Miscellaneous failure (see text): > Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab > MEMORY: cifs_srv_keytab (arcfour-hmac-md5)] > > in my smb.conf I have the lines: > > kerberos method = dedicated keytab > dedicated keytab file = /etc/samba/fs.keytab > > # net ads keytab list > Vno Type Principal > 108 arcfour-hmac-md5 cifs/fs-sahre at dom.corp > 108 des-cbc-md5 cifs/fs-sahre at dom.corp > 108 des-cbc-crc cifs/fs-sahre at dom.corp > > it worked for several days, to make it work I used ktutils and adding the > spn again to have 109. > > my /etc/krb5.conf: > > [Libdefaults] > default_realm = DOM.CORP > default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 > des3-cbc-sha1 > allow_weak_crypto = true > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > kdc_timesync = 1 > debug = false > > any help ? :)Did you know that there is a keytab in memory ? This should have given you a hint: Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab MEMORY: cifs_srv_keytab What are you trying to do ? Presumably mount something using kerberos. Rowland
Rowland penny
2019-Oct-08 20:26 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 08/10/2019 21:11, banda bassotti wrote:> none of this :) access to the share by windows clients and yes, I can > read, I only reported the log output nothing more,If you are not mounting anything, then you do not need the keytab. Also, I never said you couldn't read, I just pointed out that you can look at the keytab '/etc/samba/fs.keytab' until you are blue in the face, but it will do you no good, because it is the wrong keytab. From your error message, something seems to be trying to mount a share somewhere. If your clients are just connecting to a share and do not need to mount anything, then I suggest you find what is trying to mount the share and stop it. Rowland
banda bassotti
2019-Oct-09 03:34 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Rowland, it is not a problem of mount but of kerberso ticket: [2019/10/08 10:58:09.626059, 1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE [2019/10/08 10:58:09.634532, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno 109. Il giorno mar 8 ott 2019 alle ore 22:26 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 08/10/2019 21:11, banda bassotti wrote: > > none of this :) access to the share by windows clients and yes, I can > > read, I only reported the log output nothing more, > > If you are not mounting anything, then you do not need the keytab. > > Also, I never said you couldn't read, I just pointed out that you can > look at the keytab '/etc/samba/fs.keytab' until you are blue in the > face, but it will do you no good, because it is the wrong keytab. > > From your error message, something seems to be trying to mount a share > somewhere. If your clients are just connecting to a share and do not > need to mount anything, then I suggest you find what is trying to mount > the share and stop it. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2019-Oct-09 06:32 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
I suggest, you try this. Check you time and update it. Then change you krb5.conf file to. [Libdefaults] default_realm = DOM.CORP dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true kdc_timesync = 1 debug = false And reboot you server, that makes sure memory is also clean. Check again.> Failed to find cifs/dom.corp at DOM.CORPshow the output of hostname -s hostname -d hostname -f And show you smb.conf if still not correct. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > banda bassotti via samba > Verzonden: woensdag 9 oktober 2019 5:34 > Aan: sambalist > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > Rowland, it is not a problem of mount but of kerberso ticket: > > [2019/10/08 10:58:09.626059, 1] > ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenI > nit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing > NEG_TOKEN_INIT > content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > [2019/10/08 10:58:09.634532, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure > (see text): > Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > before 10:00 it used kvno (kerberos version number) 108 after > 10:00 kvno > 109. > > Il giorno mar 8 ott 2019 alle ore 22:26 Rowland penny via samba < > samba at lists.samba.org> ha scritto: > > > On 08/10/2019 21:11, banda bassotti wrote: > > > none of this :) access to the share by windows clients > and yes, I can > > > read, I only reported the log output nothing more, > > > > If you are not mounting anything, then you do not need the keytab. > > > > Also, I never said you couldn't read, I just pointed out > that you can > > look at the keytab '/etc/samba/fs.keytab' until you are blue in the > > face, but it will do you no good, because it is the wrong keytab. > > > > From your error message, something seems to be trying to > mount a share > > somewhere. If your clients are just connecting to a share and do not > > need to mount anything, then I suggest you find what is > trying to mount > > the share and stop it. > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >