banda bassotti
2019-Oct-16 09:06 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Hi Rowland, I refer again after a week, perhaps missing an important piece to the big picture: the error message appears ONLY when you access the share using the netbios alias: [Global] workgroup = WG1 realm = DOM.CORP netbios name = fs-a netbios aliases = oldsamba security = ADS if you access the \\fs-a\sharename is ok if you access \\oldsamba\sharename the logs report the absence of the kerberos ticket, to overcome this I have to re-import the oldsamba keytab with ktutil. ciao. Il giorno mer 9 ott 2019 alle ore 09:16 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 09/10/2019 04:34, banda bassotti via samba wrote: > > Rowland, it is not a problem of mount but of kerberso ticket: > > > > [2019/10/08 10:58:09.626059, 1] > > ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) > > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing > NEG_TOKEN_INIT > > content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > > [2019/10/08 10:58:09.634532, 1] > > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > > Failed to find cifs/dom.corp at DOM.CORP(kvno 109) in keytab > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > > before 10:00 it used kvno (kerberos version number) 108 after 10:00 kvno > > 109. > > > It looks like your kerberos ticket has expired and not been renewed, a > new one has been created instead. > > However, the ticket is for 'cifs/dom.corp at DOM.CORP' > > You would normally only use such a ticket to mount something. > > I think you need to post your smb.conf > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2019-Oct-16 09:26 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 16/10/2019 10:06, banda bassotti wrote:> Hi Rowland, I refer again after a week, perhaps missing an important > piece to the big picture: the error message appears ONLY when you > access the share using the netbios alias: > > [Global] > ?? workgroup = WG1 > ?? realm = DOM.CORP > ?? netbios name = fs-a > ?? netbios aliases = oldsamba > ?? security = ADS > > if you access the \\fs-a\sharename is ok if you access > \\oldsamba\sharename? the logs report the absence of the kerberos > ticket, to overcome this I have to re-import the oldsamba keytab with > ktutil. >Do not use netbios aliases, use a CNAME record instead, AD uses DNS instead of NetBIOS. Rowland
Rowland penny
2019-Oct-29 09:48 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 29/10/2019 08:22, banda bassotti wrote:> Hi?Rowland, I'm here again , as you suggested I created a CNAME for > the old samba by pointing it to the new server but the problem persists: > > # host oldsamba > oldsamba.domain.corp is an alias for newsamba.domain.corp. > newsamba.domain.corp has address 10.0.0.5 > > trying to access the share \\oldsamba\sharename > > [2019/10/29 09:13:08.710484, ?1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > ? gss_accept_sec_context failed with [ Miscellaneous failure (see > text): Failed to find cifs/OLDSAMBA at DOMAIN.CORP(kvno 112) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > [2019/10/29 09:13:08.710549, ?1] > ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) > ? gensec_spnego_server_negTokenInit_step: gse_krb5: parsing > NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > [2019/10/29 09:13:08.723547, ?1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > note the KVNO 112, up until yesterday it was looking for 111 >OK, try adding the required SPN to 'newsamba': samba-tool spn add cifs/OLDSAMBA at DOMAIN.CORP newsamba$ Rowland
Rowland penny
2019-Oct-29 10:11 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 29/10/2019 10:04, banda bassotti wrote:> I had already done it: > > # samba-tool spn list newsamba\$ > newsamba$ > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > servicePrincipalName: > ? ? ? ? ?HOST/NEWSAMBA > ? ? ? ? ?HOST/newsamba.domain.corp > ? ? ? ? ?cifs/oldsamba at DOMAIN.CORP > ? ? ? ? ?cifs/oldsamba.domain.corp at DOMAIN.CORPFrom your log fragment, it appears to be looking for 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will probably have to remove the lowercase version SPN and replace it with the uppercase version. Rowland
banda bassotti
2019-Oct-29 10:37 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Hi, the problem seems to be related to this bug: https://bugzilla.samba.org/show_bug.cgi?id=6750 I try therefore to set machine password timeout = 0 Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 29/10/2019 10:04, banda bassotti wrote: > > I had already done it: > > > > # samba-tool spn list newsamba\$ > > newsamba$ > > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > > servicePrincipalName: > > HOST/NEWSAMBA > > HOST/newsamba.domain.corp > > cifs/oldsamba at DOMAIN.CORP > > cifs/oldsamba.domain.corp at DOMAIN.CORP > > From your log fragment, it appears to be looking for > 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will probably have to > remove the lowercase version SPN and replace it with the uppercase version. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >