samba - Oct 2019 - Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab

Rowland, it is not a problem of mount but of kerberso ticket:

[2019/10/08 10:58:09.626059,  1]
../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
  gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT
content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
[2019/10/08 10:58:09.634532,  1]
../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
  gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab
MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]

before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno
109.

Il giorno mar 8 ott 2019 alle ore 22:26 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 08/10/2019 21:11, banda bassotti wrote:
> > none of this :) access to the share by windows clients and yes, I can
> > read, I only reported the log output nothing more,
>
> If you are not mounting anything, then you do not need the keytab.
>
> Also, I never said you couldn't read, I just pointed out that you can
> look at the keytab '/etc/samba/fs.keytab' until you are blue in the
> face, but it will do you no good, because it is the wrong keytab.
>
>  From your error message, something seems to be trying to mount a share
> somewhere. If your clients are just connecting to a share and do not
> need to mount anything, then I suggest you find what is trying to mount
> the share and stop it.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 09/10/2019 04:34, banda bassotti via samba wrote:
> Rowland, it is not a problem of mount but of kerberso ticket:
>
> [2019/10/08 10:58:09.626059,  1]
> ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
>    gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT
> content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> [2019/10/08 10:58:09.634532,  1]
> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [ Miscellaneous failure (see text):
> Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
> before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno
> 109.
>
It looks like your kerberos ticket has expired and not been renewed, a 
new one has been created instead.

However, the ticket is for 'cifs/dom.corp at DOM.CORP'

You would normally only use such a ticket to mount something.

I think you need to post your smb.conf

Rowland

Hi Rowland, I refer again after a week, perhaps missing an important piece
to the big picture: the error message appears ONLY when you access the
share using the netbios alias:

[Global]
   workgroup = WG1
   realm = DOM.CORP
   netbios name = fs-a
   netbios aliases = oldsamba
   security = ADS

if you access the \\fs-a\sharename is ok if you access
\\oldsamba\sharename  the logs report the absence of the kerberos ticket,
to overcome this I have to re-import the oldsamba keytab with ktutil.

ciao.

Il giorno mer 9 ott 2019 alle ore 09:16 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 09/10/2019 04:34, banda bassotti via samba wrote:
> > Rowland, it is not a problem of mount but of kerberso ticket:
> >
> > [2019/10/08 10:58:09.626059,  1]
> >
../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step)
> >    gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
> NEG_TOKEN_INIT
> > content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> > [2019/10/08 10:58:09.634532,  1]
> > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> >    gss_accept_sec_context failed with [ Miscellaneous failure (see
text):
> > Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab
> > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >
> > before 10:00 it used kvno (kerberos version number) 108 after 10:00
kvno
> > 109.
> >
> It looks like your kerberos ticket has expired and not been renewed, a
> new one has been created instead.
>
> However, the ticket is for 'cifs/dom.corp at DOM.CORP'
>
> You would normally only use such a ticket to mount something.
>
> I think you need to post your smb.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>