banda bassotti
2019-Oct-29 10:37 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Hi, the problem seems to be related to this bug: https://bugzilla.samba.org/show_bug.cgi?id=6750 I try therefore to set machine password timeout = 0 Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 29/10/2019 10:04, banda bassotti wrote: > > I had already done it: > > > > # samba-tool spn list newsamba\$ > > newsamba$ > > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > > servicePrincipalName: > > HOST/NEWSAMBA > > HOST/newsamba.domain.corp > > cifs/oldsamba at DOMAIN.CORP > > cifs/oldsamba.domain.corp at DOMAIN.CORP > > From your log fragment, it appears to be looking for > 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will probably have to > remove the lowercase version SPN and replace it with the uppercase version. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
banda bassotti
2019-Nov-05 08:48 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
hi, nothing to do, despite having set winbind not to change the machine password the behavior is the same. I do not know what to do. other ideas? thnx. Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti < bandabasotti at gmail.com> ha scritto:> Hi, the problem seems to be related to this bug: > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > I try therefore to set > > machine password timeout = 0 > > > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < > samba at lists.samba.org> ha scritto: > >> On 29/10/2019 10:04, banda bassotti wrote: >> > I had already done it: >> > >> > # samba-tool spn list newsamba\$ >> > newsamba$ >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following >> > servicePrincipalName: >> > HOST/NEWSAMBA >> > HOST/newsamba.domain.corp >> > cifs/oldsamba at DOMAIN.CORP >> > cifs/oldsamba.domain.corp at DOMAIN.CORP >> >> From your log fragment, it appears to be looking for >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will probably have to >> remove the lowercase version SPN and replace it with the uppercase >> version. >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
L.P.H. van Belle
2019-Nov-05 10:30 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Hai, I've re-read you thread, and there are a few things going-on.. I suggest you do the following.. Change these. /etc/krb5.conf [libdefaults] default_realm = DOM.CORP dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true kdc_timesync = 1 debug = false /etc/samba/smb.conf [Global] workgroup = WG1 realm = DOM.CORP # Netbios names in CAPS, see.. # https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx # https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and # Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names, # point CNAME to the A record if which the PTR also exists.. netbios name = FS-A netbios aliases = OLDSAMBA security = ADS # kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) You run : net ads keytab cp /etc/krb5.keytab{,.backup} kinit Administrator KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P Verify this keytab. klist -ke /etc/krb5.keytab2 You want to see : host/NETBIOSNAME at DOM.CORP ( x5 ) host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) NETBIOSNAME$@DOM.CORP ( x5 ) This you see these.. Then run this to add the cifs keytab. KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ Verify the keytab file again. klist -ke /etc/krb5.keytab2 If it all looks good. Stop all samba service rm /etc/krb5.keytab .. ( a backupfile is made if you followed above ) mv /etc/krb5.keytab2 /etc/krb5.keytab That "should" do the trick.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > banda bassotti via samba > Verzonden: dinsdag 5 november 2019 9:49 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > hi, nothing to do, despite having set winbind not to change > the machine > password the behavior is the same. I do not know what to do. > other ideas? > > thnx. > > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti < > bandabasotti at gmail.com> ha scritto: > > > Hi, the problem seems to be related to this bug: > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > I try therefore to set > > > > machine password timeout = 0 > > > > > > > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < > > samba at lists.samba.org> ha scritto: > > > >> On 29/10/2019 10:04, banda bassotti wrote: > >> > I had already done it: > >> > > >> > # samba-tool spn list newsamba\$ > >> > newsamba$ > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > >> > servicePrincipalName: > >> > HOST/NEWSAMBA > >> > HOST/newsamba.domain.corp > >> > cifs/oldsamba at DOMAIN.CORP > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP > >> > >> From your log fragment, it appears to be looking for > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will > probably have to > >> remove the lowercase version SPN and replace it with the uppercase > >> version. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
banda bassotti
2019-Nov-05 11:06 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error: [2019/11/05 11:49:47.748159, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] please pay attention to (kvno 113) the problem is here and not the keytab file. klist -ke /etc/krb5.keyatb Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil: # ktutil ktutil: rkt oldsamba.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 112 cifs/oldsamba at DOM.CORP 2 112 cifs/oldsamba at DOM.CORP 3 112 cifs/oldsamba at DOM.CORP 4 113 cifs/oldsamba at DOM.CORP 5 113 cifs/oldsamba at DOM.CORP 6 113 cifs/oldsamba at DOM.CORP please note the kvno column. Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto:> Hai, > > I've re-read you thread, and there are a few things going-on.. > I suggest you do the following.. > > Change these. > > /etc/krb5.conf > [libdefaults] > default_realm = DOM.CORP > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > kdc_timesync = 1 > debug = false > > > /etc/samba/smb.conf > [Global] > workgroup = WG1 > realm = DOM.CORP > # Netbios names in CAPS, see.. > # > https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx > # > https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > # Verify in DNS the following, A - PTR records for netbios name, setup > CNAME for all alias-names, > # point CNAME to the A record if which the PTR also exists.. > netbios name = FS-A > netbios aliases = OLDSAMBA > security = ADS > # > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > # renew the kerberos ticket > winbind refresh tickets = yes > > > ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) > You run : net ads keytab > > cp /etc/krb5.keytab{,.backup} > kinit Administrator > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P > > Verify this keytab. > klist -ke /etc/krb5.keytab2 > > You want to see : > host/NETBIOSNAME at DOM.CORP ( x5 ) > host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) > NETBIOSNAME$@DOM.CORP ( x5 ) > > This you see these.. Then run this to add the cifs keytab. > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/fs-a.yourdns.domain.tld > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ > > Verify the keytab file again. > klist -ke /etc/krb5.keytab2 > > If it all looks good. > > Stop all samba service > rm /etc/krb5.keytab .. ( a backupfile is made if you followed above ) > mv /etc/krb5.keytab2 /etc/krb5.keytab > > > That "should" do the trick.. > > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > banda bassotti via samba > > Verzonden: dinsdag 5 november 2019 9:49 > > Aan: Rowland penny > > CC: sambalist > > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > > (kvno 109) in keytab > > > > hi, nothing to do, despite having set winbind not to change > > the machine > > password the behavior is the same. I do not know what to do. > > other ideas? > > > > thnx. > > > > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti < > > bandabasotti at gmail.com> ha scritto: > > > > > Hi, the problem seems to be related to this bug: > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > > > I try therefore to set > > > > > > machine password timeout = 0 > > > > > > > > > > > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < > > > samba at lists.samba.org> ha scritto: > > > > > >> On 29/10/2019 10:04, banda bassotti wrote: > > >> > I had already done it: > > >> > > > >> > # samba-tool spn list newsamba\$ > > >> > newsamba$ > > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > > >> > servicePrincipalName: > > >> > HOST/NEWSAMBA > > >> > HOST/newsamba.domain.corp > > >> > cifs/oldsamba at DOMAIN.CORP > > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP > > >> > > >> From your log fragment, it appears to be looking for > > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will > > probably have to > > >> remove the lowercase version SPN and replace it with the uppercase > > >> version. > > >> > > >> Rowland > > >> > > >> > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba > > >> > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > >
L.P.H. van Belle
2019-Nov-05 11:40 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Ok, you did to much as far i can tell. You want to see this: i'll show my output, then i is better to see what i mean. this is where you start with. klist -ke |sort ( default member ) ---- -------------------------------------------------------------------------- 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac) 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc) 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5) In my case. my servers "real" name is hostname1 and i have an alias, lets say mycrazyserver /etc/hosts 127.0.0.1 localhost 192.168.0.1 hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld Host format: IP REAL_HOSTNAME_FQDN ALIAS ALIAS Note, adding mycrazyserver.internal.domain.tld should not be needed, because that is resolved through dns. ping mycrazyserver.internal.domain.tld will respond its reply with hostname1.internal.domain.tld hostname1 If you add CIFS to you keytab you want to see : 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) ( + whats above ) Thats it.. So you output should look like this. 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) So try again. ;-) Greetz, Louis ________________________________ Van: banda bassotti [mailto:bandabasotti at gmail.com] Verzonden: dinsdag 5 november 2019 12:06 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error: [2019/11/05 11:49:47.748159, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] please pay attention to (kvno 113) the problem is here and not the keytab file. klist -ke /etc/krb5.keyatb Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil: # ktutil ktutil: rkt oldsamba.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 112 cifs/oldsamba at DOM.CORP 2 112 cifs/oldsamba at DOM.CORP 3 112 cifs/oldsamba at DOM.CORP 4 113 cifs/oldsamba at DOM.CORP 5 113 cifs/oldsamba at DOM.CORP 6 113 cifs/oldsamba at DOM.CORP please note the kvno column. Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto: Hai, I've re-read you thread, and there are a few things going-on.. I suggest you do the following.. Change these. /etc/krb5.conf [libdefaults] default_realm = DOM.CORP dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true kdc_timesync = 1 debug = false /etc/samba/smb.conf [Global] workgroup = WG1 realm = DOM.CORP # Netbios names in CAPS, see.. # https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx # https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and # Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names, # point CNAME to the A record if which the PTR also exists.. netbios name = FS-A netbios aliases = OLDSAMBA security = ADS # kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) You run : net ads keytab cp /etc/krb5.keytab{,.backup} kinit Administrator KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P Verify this keytab. klist -ke /etc/krb5.keytab2 You want to see : host/NETBIOSNAME at DOM.CORP ( x5 ) host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) NETBIOSNAME$@DOM.CORP ( x5 ) This you see these.. Then run this to add the cifs keytab. KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ Verify the keytab file again. klist -ke /etc/krb5.keytab2 If it all looks good. Stop all samba service rm /etc/krb5.keytab .. ( a backupfile is made if you followed above ) mv /etc/krb5.keytab2 /etc/krb5.keytab That "should" do the trick.. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > banda bassotti via samba > Verzonden: dinsdag 5 november 2019 9:49 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > hi, nothing to do, despite having set winbind not to change > the machine > password the behavior is the same. I do not know what to do. > other ideas? > > thnx. > > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti < > bandabasotti at gmail.com> ha scritto: > > > Hi, the problem seems to be related to this bug: > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > I try therefore to set > > > > machine password timeout = 0 > > > > > > > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < > > samba at lists.samba.org> ha scritto: > > > >> On 29/10/2019 10:04, banda bassotti wrote: > >> > I had already done it: > >> > > >> > # samba-tool spn list newsamba\$ > >> > newsamba$ > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > >> > servicePrincipalName: > >> > HOST/NEWSAMBA > >> > HOST/newsamba.domain.corp > >> > cifs/oldsamba at DOMAIN.CORP > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP > >> > >> From your log fragment, it appears to be looking for > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will > probably have to > >> remove the lowercase version SPN and replace it with the uppercase > >> version. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab