banda bassotti
2019-Oct-09 03:34 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Rowland, it is not a problem of mount but of kerberso ticket: [2019/10/08 10:58:09.626059, 1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE [2019/10/08 10:58:09.634532, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno 109. Il giorno mar 8 ott 2019 alle ore 22:26 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 08/10/2019 21:11, banda bassotti wrote: > > none of this :) access to the share by windows clients and yes, I can > > read, I only reported the log output nothing more, > > If you are not mounting anything, then you do not need the keytab. > > Also, I never said you couldn't read, I just pointed out that you can > look at the keytab '/etc/samba/fs.keytab' until you are blue in the > face, but it will do you no good, because it is the wrong keytab. > > From your error message, something seems to be trying to mount a share > somewhere. If your clients are just connecting to a share and do not > need to mount anything, then I suggest you find what is trying to mount > the share and stop it. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2019-Oct-09 07:16 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 09/10/2019 04:34, banda bassotti via samba wrote:> Rowland, it is not a problem of mount but of kerberso ticket: > > [2019/10/08 10:58:09.626059, 1] > ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT > content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > [2019/10/08 10:58:09.634532, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno > 109. >It looks like your kerberos ticket has expired and not been renewed, a new one has been created instead. However, the ticket is for 'cifs/dom.corp at DOM.CORP' You would normally only use such a ticket to mount something. I think you need to post your smb.conf Rowland
banda bassotti
2019-Oct-16 09:06 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Hi Rowland, I refer again after a week, perhaps missing an important piece to the big picture: the error message appears ONLY when you access the share using the netbios alias: [Global] workgroup = WG1 realm = DOM.CORP netbios name = fs-a netbios aliases = oldsamba security = ADS if you access the \\fs-a\sharename is ok if you access \\oldsamba\sharename the logs report the absence of the kerberos ticket, to overcome this I have to re-import the oldsamba keytab with ktutil. ciao. Il giorno mer 9 ott 2019 alle ore 09:16 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 09/10/2019 04:34, banda bassotti via samba wrote: > > Rowland, it is not a problem of mount but of kerberso ticket: > > > > [2019/10/08 10:58:09.626059, 1] > > ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) > > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing > NEG_TOKEN_INIT > > content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > > [2019/10/08 10:58:09.634532, 1] > > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > > Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > > before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno > > 109. > > > It looks like your kerberos ticket has expired and not been renewed, a > new one has been created instead. > > However, the ticket is for 'cifs/dom.corp at DOM.CORP' > > You would normally only use such a ticket to mount something. > > I think you need to post your smb.conf > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >