L.P.H. van Belle
2019-Nov-05 14:42 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Ok, Your keytab looks ok now. oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. fs-a.dom.corp has address 10.0.0.2 i would have expected here. oldsamba.dom.corp is an alias for fs-a.dom.corp. fs-a.dom.corp has address 10.0.0.2 Or was that a typo? I assuming a typo.. About your setup from the script outpout. Change this one. /etc/hosts 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct Or 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct Here i personaly preffer : 10.0.0.2 fs-a.dom.corp fs-a And add the cname to the DNS. Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry) ALIAS, if you use a "single lable" alias-name, as in, only the hostname-alias without the domain part. Then that hostname can/should only be use on the server, because, its missing the domain part. I do the same here, this is how i use it. ( from a 4.11.2 member to a .. yes 3.6.x server, i still have one running.. :-/ smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls' -k wont work here, dont ask why, that i dont know. To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls' /etc/samba/smb.conf You can remove, these after testing, or set to no and use getent passwd/group username/groupname if you want to see the groups. winbind enum groups = yes winbind enum users = yes Why is this used : getwd cache = yes ? For my understanding, i think you can remove it, because this is should be handled differently in samba4. Your allowing : usershare allow guests = yes but you disable the share location : usershare path = or use it or disabled it, now its?? you tell me.. ;-) . but beside above points your setup looks pretty good. @Rowland, This might help you understanding my responce on this one.> You are creating a keytab, which may or may not be called /etc/krb5.keytab2^^^^^^^^ was only used to not accidently destroy his old keytab file. But since its replaced anyway now. Ps, keytab name is not significant. What is significantis, what is set for : default_keytab_name in krb5.conf Which ofcourse defaults to FILE:/etc/krb5.keytab> > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > Then something reads the keytab in memory and cannot find the > required SPN, or to put it another way, whatever is trying to find the > SPN isn't reading the keytab you created above, it is reading the one in memory.Ok, this part above, yes, your right, its reading in memory, but to my believe, From: kerberos method = secrets and keytab, and as far i know "secrets" = MEMORY but ask youself, why is it using the "oldsamba" name if he is using oldsamba as aliasname. Thats the key here, so conclusion resolving problems/incorrectly setup. So there for im saying. ( typed this before i got the script output ). OLDSAMBA is still in /etc/hosts but before the newHostname Or it still has a dns A record. Or samba is also using the Netbios Alias names while creating keytab entries. ... And this, should in my opinion not happen, so lets wait what comes back. AND his keytab file is still incorrectly setup. And as i saw in the debug script output, i betting now on /etc/hosts that needs fixing. Resume. Change : /etc/hosts # this line to : 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp #Or 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS. Reboot the server or "stop/start" samba ( dont restart ) ! Verify the hostname-alias hosts oldhostname.dom.corp hosts oldhostname And try again. Greetz, Louis ________________________________ Van: banda bassotti [mailto:bandabasotti at gmail.com] Verzonden: dinsdag 5 november 2019 14:49 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab systemctl stop nmbd smbd winbind rm -f /etc/krb5.keyatb* KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P net ads keytab create cifs/$(hostname -f) klist -ke /etc/krb5.keytab | sort ---- -------------------------------------------------------------------------- 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) Keytab name: FILE:/etc/krb5.keytab KVNO Principal systemctl start nmbd smbd winbind # host oldsamba oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. fs-a.dom.corp has address 10.0.0.2 $ kinit testuser $ smbclient //oldsamba/testuser -k -c 'ls' Unable to initialize messaging context session setup failed: NT_STATUS_LOGON_FAILURE [2019/11/05 14:32:18.863122, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2019/11/05 14:32:18.863192, 1] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE attached the samba-debug-info.txt Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <belle at bazuin.nl> ha scritto: Hai, Nope.. To much again ;-) This is one step to much: step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP And why are you adding @REALM .. Do it exactly as shown below. Because a CNAME resolves to the REAL hostname it's A record, then Kerberos used the A of the real hostname and (might) verify the PTR also. So again and exactly as show, because your "Default realm" is used automaticly. kinit Administrator *(you see here: Password for Administrator at REALM: ) stop samba and related services. rm /etc/krb5.keytab2 rm /etc/krb5.keytab # i change the keytab to the needed name (/etc/krb5.keytab) KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P net ads keytab create cifs/$(hostname -f) Verify the output. klist -ke /etc/krb5.keytab | sort If you see the ALIAS hostname "oldsamba" again in the keytab file. Then removed from smb.conf : netbios aliases = OLDSAMBA Verify the DNS and make sure your realhostname does have the A and PTR records set. And remove all A/PTR related records to OLDSAMBA. Add the CNAME for OLDSAMBA and point to the realhostname. Restart samba, repeat above. Still failing.. Then get this script: https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Run it, anonymize it and post the output. Greetz, Louis ________________________________ Van: banda bassotti [mailto:bandabasotti at gmail.com] Verzonden: dinsdag 5 november 2019 13:18 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP klist 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac) 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc) 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) systemctl start nmbd smbd winbind test from windows machine: [2019/11/05 13:14:49.108879, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <belle at bazuin.nl> ha scritto: Ok, you did to much as far i can tell. You want to see this: i'll show my output, then i is better to see what i mean. this is where you start with. klist -ke |sort ( default member ) ---- -------------------------------------------------------------------------- 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac) 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc) 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5) In my case. my servers "real" name is hostname1 and i have an alias, lets say mycrazyserver /etc/hosts 127.0.0.1 localhost 192.168.0.1 hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld Host format: IP REAL_HOSTNAME_FQDN ALIAS ALIAS Note, adding mycrazyserver.internal.domain.tld should not be needed, because that is resolved through dns. ping mycrazyserver.internal.domain.tld will respond its reply with hostname1.internal.domain.tld hostname1 If you add CIFS to you keytab you want to see : 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) ( + whats above ) Thats it.. So you output should look like this. 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) So try again. ;-) Greetz, Louis ________________________________ Van: banda bassotti [mailto:bandabasotti at gmail.com] Verzonden: dinsdag 5 november 2019 12:06 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error: [2019/11/05 11:49:47.748159, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] please pay attention to (kvno 113) the problem is here and not the keytab file. klist -ke /etc/krb5.keyatb Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 FS-A$@DOM.CORP (des-cbc-crc) 7 FS-A$@DOM.CORP (des-cbc-md5) 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) 7 FS-A$@DOM.CORP (arcfour-hmac) 7 host/FS-A at DOM.CORP (des-cbc-crc) 7 host/FS-A at DOM.CORP (des-cbc-md5) 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 host/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil: # ktutil ktutil: rkt oldsamba.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 112 cifs/oldsamba at DOM.CORP 2 112 cifs/oldsamba at DOM.CORP 3 112 cifs/oldsamba at DOM.CORP 4 113 cifs/oldsamba at DOM.CORP 5 113 cifs/oldsamba at DOM.CORP 6 113 cifs/oldsamba at DOM.CORP please note the kvno column. Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto: Hai, I've re-read you thread, and there are a few things going-on.. I suggest you do the following.. Change these. /etc/krb5.conf [libdefaults] default_realm = DOM.CORP dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true kdc_timesync = 1 debug = false /etc/samba/smb.conf [Global] workgroup = WG1 realm = DOM.CORP # Netbios names in CAPS, see.. # https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx # https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and # Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names, # point CNAME to the A record if which the PTR also exists.. netbios name = FS-A netbios aliases = OLDSAMBA security = ADS # kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) You run : net ads keytab cp /etc/krb5.keytab{,.backup} kinit Administrator KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P Verify this keytab. klist -ke /etc/krb5.keytab2 You want to see : host/NETBIOSNAME at DOM.CORP ( x5 ) host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) NETBIOSNAME$@DOM.CORP ( x5 ) This you see these.. Then run this to add the cifs keytab. KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ Verify the keytab file again. klist -ke /etc/krb5.keytab2 If it all looks good. Stop all samba service rm /etc/krb5.keytab .. ( a backupfile is made if you followed above ) mv /etc/krb5.keytab2 /etc/krb5.keytab That "should" do the trick.. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > banda bassotti via samba > Verzonden: dinsdag 5 november 2019 9:49 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > hi, nothing to do, despite having set winbind not to change > the machine > password the behavior is the same. I do not know what to do. > other ideas? > > thnx. > > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti < > bandabasotti at gmail.com> ha scritto: > > > Hi, the problem seems to be related to this bug: > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > I try therefore to set > > > > machine password timeout = 0 > > > > > > > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < > > samba at lists.samba.org> ha scritto: > > > >> On 29/10/2019 10:04, banda bassotti wrote: > >> > I had already done it: > >> > > >> > # samba-tool spn list newsamba\$ > >> > newsamba$ > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > >> > servicePrincipalName: > >> > HOST/NEWSAMBA > >> > HOST/newsamba.domain.corp > >> > cifs/oldsamba at DOMAIN.CORP > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP > >> > >> From your log fragment, it appears to be looking for > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will > probably have to > >> remove the lowercase version SPN and replace it with the uppercase > >> version. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland penny
2019-Nov-05 15:02 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 05/11/2019 14:42, L.P.H. van Belle via samba wrote:> Ok, > > Your keytab looks ok now.It might do, but it isn't the one being used ;-)> > oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. > fs-a.dom.corp has address 10.0.0.2 > > i would have expected here. > oldsamba.dom.corp is an alias for fs-a.dom.corp. > fs-a.dom.corp has address 10.0.0.2 > > Or was that a typo? I assuming a typo.. > > About your setup from the script outpout. > > Change this one. > /etc/hosts > 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct > Or > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correctNo, none of them are correct> > Here i personaly preffer : > 10.0.0.2 fs-a.dom.corp fs-aBut that is.> > > Why is this used : getwd cache = yes ? > For my understanding, i think you can remove it, because this is should be handled differently in samba4.Yes, it should be removed, but only because it is a default setting.> > > @Rowland, > This might help you understanding my responce on this one. > >> You are creating a keytab, which may or may not be called /etc/krb5.keytab2 > ^^^^^^^^ was only used to not accidently destroy his old keytab file. > But since its replaced anyway now. > > Ps, keytab name is not significant. > What is significantis, what is set for : default_keytab_name in krb5.conf > Which ofcourse defaults to FILE:/etc/krb5.keytabI was trying show that a keytab was being created but not used.> > >>> Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab >>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> Then something reads the keytab in memory and cannot find the >> required SPN, or to put it another way, whatever is trying to find the >> SPN isn't reading the keytab you created above, it is reading the one in memory. > Ok, this part above, yes, your right, its reading in memory, but to my believe, > From: kerberos method = secrets and keytab, and as far i know "secrets" = MEMORYSorry but no, 'secrets' = secrets.tdb (unless this is something else wrong in the smb.conf manpage)> but ask youself, why is it using the "oldsamba" name if he is using oldsamba as aliasname. > Thats the key here, so conclusion resolving problems/incorrectly setup. > > So there for im saying. ( typed this before i got the script output ). > OLDSAMBA is still in /etc/hosts but before the newHostname > Or it still has a dns A record. > Or samba is also using the Netbios Alias names while creating keytab entries. > ... And this, should in my opinion not happen, so lets wait what comes back. > AND his keytab file is still incorrectly setup. > > And as i saw in the debug script output, i betting now on /etc/hosts that needs fixing.This is quite possibly a DNS problem, my gut feeling is to leave the domain, clean everything up and then rejoin, hopefully this will fix things. Rowland> > Resume. > > Change : /etc/hosts > # this line to : > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp > #Or > 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS. > > Reboot the server or "stop/start" samba ( dont restart ) ! > > Verify the hostname-alias > hosts oldhostname.dom.corp > hosts oldhostname > > And try again. > > > Greetz, > > Louis > > > > > ________________________________ > > Van: banda bassotti [mailto:bandabasotti at gmail.com] > Verzonden: dinsdag 5 november 2019 14:49 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab > > > systemctl stop nmbd smbd winbind > rm -f /etc/krb5.keyatb* > KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P > net ads keytab create cifs/$(hostname -f) > klist -ke /etc/krb5.keytab | sort > > ---- -------------------------------------------------------------------------- > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > > systemctl start nmbd smbd winbind > > # host oldsamba > oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. > fs-a.dom.corp has address 10.0.0.2 > > > $ kinit testuser > $ smbclient //oldsamba/testuser -k -c 'ls' > Unable to initialize messaging context > session setup failed: NT_STATUS_LOGON_FAILURE > > > [2019/11/05 14:32:18.863122, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > [2019/11/05 14:32:18.863192, 1] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > > > attached the samba-debug-info.txt > > Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle <belle at bazuin.nl> ha scritto: > > > Hai, > > Nope.. To much again ;-) > > This is one step to much: > step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP > > And why are you adding @REALM .. Do it exactly as shown below. > > Because a CNAME resolves to the REAL hostname it's A record, then Kerberos used the A of the real hostname and (might) verify the PTR also. > > So again and exactly as show, because your "Default realm" is used automaticly. > > kinit Administrator > *(you see here: Password for Administrator at REALM: ) > > stop samba and related services. > > rm /etc/krb5.keytab2 > rm /etc/krb5.keytab > > # i change the keytab to the needed name (/etc/krb5.keytab) > KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P > > net ads keytab create cifs/$(hostname -f) > > Verify the output. > klist -ke /etc/krb5.keytab | sort > > If you see the ALIAS hostname "oldsamba" again in the keytab file. > Then removed from smb.conf : > > netbios aliases = OLDSAMBA > > Verify the DNS and make sure your realhostname does have the A and PTR records set. > And remove all A/PTR related records to OLDSAMBA. > Add the CNAME for OLDSAMBA and point to the realhostname. > > Restart samba, repeat above. > > Still failing.. > Then get this script: https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > Run it, anonymize it and post the output. > > > Greetz, > > Louis > > > > ________________________________ > > Van: banda bassotti [mailto:bandabasotti at gmail.com] > Verzonden: dinsdag 5 november 2019 13:18 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab > > > Luis, ok I'v removed everything, step 1: > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P > > klist -ke /etc/krb5.keytab2|grep 7|sort > > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > > step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP > > > klist > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > systemctl start nmbd smbd winbind > > test from windows machine: > > [2019/11/05 13:14:49.108879, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van Belle <belle at bazuin.nl> ha scritto: > > > Ok, you did to much as far i can tell. > > You want to see this: i'll show my output, then i is better to see what i mean. > > this is where you start with. > klist -ke |sort ( default member ) > ---- -------------------------------------------------------------------------- > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (arcfour-hmac) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-crc) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (des-cbc-md5) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) > 3 host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (arcfour-hmac) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-crc) > 3 HOSTNAME1$@REALM.DOMAIN.TLD (des-cbc-md5) > > In my case. my servers "real" name is hostname1 and i have an alias, lets say mycrazyserver > > /etc/hosts > 127.0.0.1 localhost > 192.168.0.1 hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld > Host format: > IP REAL_HOSTNAME_FQDN ALIAS ALIAS > > Note, adding mycrazyserver.internal.domain.tld should not be needed, because that is resolved through dns. > > ping mycrazyserver.internal.domain.tld will respond its reply with hostname1.internal.domain.tld hostname1 > > If you add CIFS to you keytab you want to see : > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) > 3 cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) > ( + whats above ) > > Thats it.. > > So you output should look like this. > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) < double = wrong > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) < double = wrong > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (arcfour-hmac) < double = wrong > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-crc) < double = wrong > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (des-cbc-md5) < double = wrong > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > So try again. ;-) > > Greetz, > > Louis > > > > > > ________________________________ > > Van: banda bassotti [mailto:bandabasotti at gmail.com] > Verzonden: dinsdag 5 november 2019 12:06 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab > > > Luis, thank you very much, I followed the procedure step by step (which I had already done) but unfortunately I always have the same error: > > > [2019/11/05 11:49:47.748159, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > please pay attention to (kvno 113) the problem is here and not the keytab file. > > > klist -ke /etc/krb5.keyatb > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > > > to temporary solve this problem I must extract the keytab of the oldsamba from the domain controller and import with ktutil: > > # ktutil > ktutil: rkt oldsamba.keytab > ktutil: l > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 112 cifs/oldsamba at DOM.CORP > 2 112 cifs/oldsamba at DOM.CORP > 3 112 cifs/oldsamba at DOM.CORP > 4 113 cifs/oldsamba at DOM.CORP > 5 113 cifs/oldsamba at DOM.CORP > 6 113 cifs/oldsamba at DOM.CORP > > > please note the kvno column. > > > Il giorno mar 5 nov 2019 alle ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto: > > > Hai, > > I've re-read you thread, and there are a few things going-on.. > I suggest you do the following.. > > Change these. > > /etc/krb5.conf > [libdefaults] > default_realm = DOM.CORP > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > kdc_timesync = 1 > debug = false > > > /etc/samba/smb.conf > [Global] > workgroup = WG1 > realm = DOM.CORP > # Netbios names in CAPS, see.. > # https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx > # https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > # Verify in DNS the following, A - PTR records for netbios name, setup CNAME for all alias-names, > # point CNAME to the A record if which the PTR also exists.. > netbios name = FS-A > netbios aliases = OLDSAMBA > security = ADS > # > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > # renew the kerberos ticket > winbind refresh tickets = yes > > > ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) > You run : net ads keytab > > cp /etc/krb5.keytab{,.backup} > kinit Administrator > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P > > Verify this keytab. > klist -ke /etc/krb5.keytab2 > > You want to see : > host/NETBIOSNAME at DOM.CORP ( x5 ) > host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) > NETBIOSNAME$@DOM.CORP ( x5 ) > > This you see these.. Then run this to add the cifs keytab. > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/fs-a.yourdns.domain.tld > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ > > Verify the keytab file again. > klist -ke /etc/krb5.keytab2 > > If it all looks good. > > Stop all samba service > rm /etc/krb5.keytab .. ( a backupfile is made if you followed above ) > mv /etc/krb5.keytab2 /etc/krb5.keytab > > > That "should" do the trick.. > > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > banda bassotti via samba > > Verzonden: dinsdag 5 november 2019 9:49 > > Aan: Rowland penny > > CC: sambalist > > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > > (kvno 109) in keytab > > > > hi, nothing to do, despite having set winbind not to change > > the machine > > password the behavior is the same. I do not know what to do. > > other ideas? > > > > thnx. > > > > Il giorno mar 29 ott 2019 alle ore 11:37 banda bassotti < > > bandabasotti at gmail.com> ha scritto: > > > > > Hi, the problem seems to be related to this bug: > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > > > I try therefore to set > > > > > > machine password timeout = 0 > > > > > > > > > > > > Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < > > > samba at lists.samba.org> ha scritto: > > > > > >> On 29/10/2019 10:04, banda bassotti wrote: > > >> > I had already done it: > > >> > > > >> > # samba-tool spn list newsamba\$ > > >> > newsamba$ > > >> > User CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > > >> > servicePrincipalName: > > >> > HOST/NEWSAMBA > > >> > HOST/newsamba.domain.corp > > >> > cifs/oldsamba at DOMAIN.CORP > > >> > cifs/oldsamba.domain.corp at DOMAIN.CORP > > >> > > >> From your log fragment, it appears to be looking for > > >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will > > probably have to > > >> remove the lowercase version SPN and replace it with the uppercase > > >> version. > > >> > > >> Rowland > > >> > > >> > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba > > >> > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > >
banda bassotti
2019-Nov-05 15:36 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Luis, my typos, I'v to mask the output sorry (compliance) # su - testuser $ smbclient --option='client min protocol=NT1' -U testuser //oldsamba/testuser -c 'ls' Unable to initialize messaging context Enter DOM\testuser's password: session setup failed: NT_STATUS_LOGON_FAILURE [2019/11/05 15:50:50.009481, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2019/11/05 15:50:50.009564, 1] ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE the same test from windows machine fail with user credential request. $ host oldsamba oldsamba.dom.corp is an alias for fs-a.dom.corp. fs-a.dom.corp has address 10.0.0.2 $ head /etc/hosts 127.0.0.1 localhost 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba I accepted your suggestions and modified smb.conf accordingly, thanks. Il giorno mar 5 nov 2019 alle ore 15:43 L.P.H. van Belle via samba < samba at lists.samba.org> ha scritto:> Ok, > > Your keytab looks ok now. > > oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. > fs-a.dom.corp has address 10.0.0.2 > > i would have expected here. > oldsamba.dom.corp is an alias for fs-a.dom.corp. > fs-a.dom.corp has address 10.0.0.2 > > Or was that a typo? I assuming a typo.. > > About your setup from the script outpout. > > Change this one. > /etc/hosts > 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct > Or > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct > > Here i personaly preffer : > 10.0.0.2 fs-a.dom.corp fs-a > > And add the cname to the DNS. > > Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry) > > ALIAS, if you use a "single lable" alias-name, as in, only the > hostname-alias without the domain part. > Then that hostname can/should only be use on the server, because, its > missing the domain part. > > I do the same here, this is how i use it. ( from a 4.11.2 member to a .. > yes 3.6.x server, i still have one running.. :-/ > smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls' > -k wont work here, dont ask why, that i dont know. > > To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls' > > /etc/samba/smb.conf > You can remove, these after testing, or set to no and use getent > passwd/group username/groupname if you want to see the groups. > winbind enum groups = yes > winbind enum users = yes > > Why is this used : getwd cache = yes ? > For my understanding, i think you can remove it, because this is should be > handled differently in samba4. > > Your allowing : usershare allow guests = yes > but you disable the share location : usershare path > or use it or disabled it, now its?? you tell me.. ;-) . > > but beside above points your setup looks pretty good. > > @Rowland, > This might help you understanding my responce on this one. > > > You are creating a keytab, which may or may not be called > /etc/krb5.keytab2 > > ^^^^^^^^ was only used to not accidently destroy his old keytab file. > But since its replaced anyway now. > > Ps, keytab name is not significant. > What is significantis, what is set for : default_keytab_name in krb5.conf > Which ofcourse defaults to FILE:/etc/krb5.keytab > > > > > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > > Then something reads the keytab in memory and cannot find the > > required SPN, or to put it another way, whatever is trying to find the > > SPN isn't reading the keytab you created above, it is reading the one > in memory. > > Ok, this part above, yes, your right, its reading in memory, but to my > believe, > From: kerberos method = secrets and keytab, and as far i know "secrets" > = MEMORY > but ask youself, why is it using the "oldsamba" name if he is using > oldsamba as aliasname. > Thats the key here, so conclusion resolving problems/incorrectly setup. > > So there for im saying. ( typed this before i got the script output ). > OLDSAMBA is still in /etc/hosts but before the newHostname > Or it still has a dns A record. > Or samba is also using the Netbios Alias names while creating keytab > entries. > ... And this, should in my opinion not happen, so lets wait what comes > back. > AND his keytab file is still incorrectly setup. > > And as i saw in the debug script output, i betting now on /etc/hosts that > needs fixing. > > Resume. > > Change : /etc/hosts > # this line to : > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp > #Or > 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS. > > Reboot the server or "stop/start" samba ( dont restart ) ! > > Verify the hostname-alias > hosts oldhostname.dom.corp > hosts oldhostname > > And try again. > > > Greetz, > > Louis > > > > > ________________________________ > > Van: banda bassotti [mailto:bandabasotti at gmail.com] > Verzonden: dinsdag 5 november 2019 14:49 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > > systemctl stop nmbd smbd winbind > rm -f /etc/krb5.keyatb* > KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P > net ads keytab create cifs/$(hostname -f) > klist -ke /etc/krb5.keytab | sort > > ---- > -------------------------------------------------------------------------- > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > > systemctl start nmbd smbd winbind > > # host oldsamba > oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. > fs-a.dom.corp has address 10.0.0.2 > > > $ kinit testuser > $ smbclient //oldsamba/testuser -k -c 'ls' > Unable to initialize messaging context > session setup failed: NT_STATUS_LOGON_FAILURE > > > [2019/11/05 14:32:18.863122, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see > text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > [2019/11/05 14:32:18.863192, 1] > ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing > NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > > > attached the samba-debug-info.txt > > Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle < > belle at bazuin.nl> ha scritto: > > > Hai, > > Nope.. To much again ;-) > > This is one step to much: > step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba.dom.corp at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba$@DOM.CORP > > And why are you adding @REALM .. Do it exactly as shown > below. > > Because a CNAME resolves to the REAL hostname it's A > record, then Kerberos used the A of the real hostname and (might) verify > the PTR also. > > So again and exactly as show, because your "Default realm" > is used automaticly. > > kinit Administrator > *(you see here: Password for Administrator at REALM: ) > > stop samba and related services. > > rm /etc/krb5.keytab2 > rm /etc/krb5.keytab > > # i change the keytab to the needed name > (/etc/krb5.keytab) > KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P > > net ads keytab create cifs/$(hostname -f) > > Verify the output. > klist -ke /etc/krb5.keytab | sort > > If you see the ALIAS hostname "oldsamba" again in the > keytab file. > Then removed from smb.conf : > > netbios aliases = OLDSAMBA > > Verify the DNS and make sure your realhostname does have > the A and PTR records set. > And remove all A/PTR related records to OLDSAMBA. > Add the CNAME for OLDSAMBA and point to the realhostname. > > Restart samba, repeat above. > > Still failing.. > Then get this script: > https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh > Run it, anonymize it and post the output. > > > Greetz, > > Louis > > > > ________________________________ > > Van: banda bassotti [mailto:bandabasotti at gmail.com] > > Verzonden: dinsdag 5 november 2019 13:18 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find > cifs/fs-share at dom.corp (kvno 109) in keytab > > > Luis, ok I'v removed everything, step 1: > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab > CREATE -P > > klist -ke /etc/krb5.keytab2|grep 7|sort > > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > > step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads > keytab ADD cifs/oldsamba.dom.corp at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads > keytab ADD cifs/oldsamba at DOM.CORP > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads > keytab ADD cifs/oldsamba$@DOM.CORP > > > klist > > 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba$@DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba$@DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) > > > systemctl start nmbd smbd winbind > > test from windows machine: > > [2019/11/05 13:14:49.108879, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ > Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno > 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > > Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. van > Belle <belle at bazuin.nl> ha scritto: > > > Ok, you did to much as far i can tell. > > You want to see this: i'll show my output, > then i is better to see what i mean. > > this is where you start with. > klist -ke |sort ( default member ) > ---- > -------------------------------------------------------------------------- > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD > (arcfour-hmac) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD > (des-cbc-crc) > 3 host/HOSTNAME1 at REALM.DOMAIN.TLD > (des-cbc-md5) > 3 > host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 > host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 > host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) > 3 > host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) > 3 > host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) > 3 HOSTNAME1$@REALM.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 HOSTNAME1$@REALM.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 HOSTNAME1$@REALM.DOMAIN.TLD > (arcfour-hmac) > 3 HOSTNAME1$@REALM.DOMAIN.TLD > (des-cbc-crc) > 3 HOSTNAME1$@REALM.DOMAIN.TLD > (des-cbc-md5) > > In my case. my servers "real" name is > hostname1 and i have an alias, lets say mycrazyserver > > /etc/hosts > 127.0.0.1 localhost > 192.168.0.1 > hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld > Host format: > IP REAL_HOSTNAME_FQDN ALIAS ALIAS > > Note, adding > mycrazyserver.internal.domain.tld should not be needed, because that is > resolved through dns. > > ping mycrazyserver.internal.domain.tld > will respond its reply with hostname1.internal.domain.tld hostname1 > > If you add CIFS to you keytab you want to > see : > 3 > cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 3 > cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 3 > cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) > 3 > cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) > 3 > cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) > ( + whats above ) > > Thats it.. > > So you output should look like this. > > 7 cifs/FS-A at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP > (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP > (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP > (des-cbc-md5) > 7 FS-A$@DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP > (aes128-cts-hmac-sha1-96) < double = wrong > 7 host/FS-A at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP > (aes256-cts-hmac-sha1-96) < double = wrong > 7 host/FS-A at DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP > (arcfour-hmac) < double = wrong > 7 host/FS-A at DOM.CORP (des-cbc-crc) > 7 host/FS-A at DOM.CORP > (des-cbc-crc) < double = wrong > 7 host/FS-A at DOM.CORP (des-cbc-md5) > 7 host/FS-A at DOM.CORP > (des-cbc-md5) < double = wrong > 7 host/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP > (arcfour-hmac) > 7 host/fs-a.dom.corp at DOM.CORP > (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP > (des-cbc-md5) > > > So try again. ;-) > > Greetz, > > Louis > > > > > > ________________________________ > > Van: banda bassotti [mailto: > bandabasotti at gmail.com] > Verzonden: dinsdag 5 november 2019 > 12:06 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to > find cifs/fs-share at dom.corp (kvno 109) in keytab > > > Luis, thank you very much, I > followed the procedure step by step (which I had already done) but > unfortunately I always have the same error: > > > [2019/11/05 11:49:47.748159, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > > gss_accept_sec_context failed > with [ Miscellaneous failure (see text): Failed to find > cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab > (arcfour-hmac-md5)] > > > please pay attention to (kvno 113) > the problem is here and not the keytab file. > > > klist -ke /etc/krb5.keyatb > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 7 host/fs-a.dom.corp at DOM.CORP > (des-cbc-crc) > 7 host/FS-A at DOM.CORP > (des-cbc-crc) > 7 host/fs-a.dom.corp at DOM.CORP > (des-cbc-md5) > 7 host/FS-A at DOM.CORP > (des-cbc-md5) > 7 host/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/fs-a.dom.corp at DOM.CORP > (arcfour-hmac) > 7 host/FS-A at DOM.CORP > (arcfour-hmac) > 7 cifs/fs-a.dom.corp at DOM.CORP > (des-cbc-crc) > 7 cifs/FS-A at DOM.CORP > (des-cbc-crc) > 7 cifs/fs-a.dom.corp at DOM.CORP > (des-cbc-md5) > 7 cifs/FS-A at DOM.CORP > (des-cbc-md5) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/FS-A at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/fs-a.dom.corp at DOM.CORP > (arcfour-hmac) > 7 cifs/FS-A at DOM.CORP > (arcfour-hmac) > 7 FS-A$@DOM.CORP (des-cbc-crc) > 7 FS-A$@DOM.CORP (des-cbc-md5) > 7 FS-A$@DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 FS-A$@DOM.CORP (arcfour-hmac) > 7 host/FS-A at DOM.CORP > (des-cbc-crc) > 7 host/FS-A at DOM.CORP > (des-cbc-md5) > 7 host/FS-A at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 host/FS-A at DOM.CORP > (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP > (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP > (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (arcfour-hmac) > 7 cifs/oldsamba at DOM.CORP > (des-cbc-crc) > 7 cifs/oldsamba at DOM.CORP > (des-cbc-md5) > 7 cifs/oldsamba at DOM.CORP > (aes128-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (aes256-cts-hmac-sha1-96) > 7 cifs/oldsamba at DOM.CORP > (arcfour-hmac) > > > to temporary solve this problem I > must extract the keytab of the oldsamba from the domain controller and > import with ktutil: > > # ktutil > ktutil: rkt oldsamba.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 112 > cifs/oldsamba at DOM.CORP > 2 112 > cifs/oldsamba at DOM.CORP > 3 112 > cifs/oldsamba at DOM.CORP > 4 113 > cifs/oldsamba at DOM.CORP > 5 113 > cifs/oldsamba at DOM.CORP > 6 113 > cifs/oldsamba at DOM.CORP > > > please note the kvno column. > > > Il giorno mar 5 nov 2019 alle ore > 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto: > > > Hai, > > I've re-read you thread, > and there are a few things going-on.. > I suggest you do the > following.. > > Change these. > > /etc/krb5.conf > [libdefaults] > default_realm = DOM.CORP > dns_lookup_kdc = true > dns_lookup_realm = false > forwardable = true > proxiable = true > kdc_timesync = 1 > debug = false > > > /etc/samba/smb.conf > [Global] > workgroup = WG1 > realm = DOM.CORP > # Netbios names in > CAPS, see.. > # > https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx > # > https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > # Verify in DNS the > following, A - PTR records for netbios name, setup CNAME for all > alias-names, > # point CNAME to the A > record if which the PTR also exists.. > netbios name = FS-A > netbios aliases > OLDSAMBA > security = ADS > # > kerberos method > secrets and keytab > dedicated keytab file > /etc/krb5.keytab > # renew the kerberos > ticket > winbind refresh tickets > = yes > > > ON THIS MEMBER... ( you > dont run : samba-tool spn list ..... ) > You run : net ads keytab > > cp > /etc/krb5.keytab{,.backup} > kinit Administrator > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P > > Verify this keytab. > klist -ke > /etc/krb5.keytab2 > > You want to see : > host/NETBIOSNAME at DOM.CORP > ( x5 ) > > host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) > NETBIOSNAME$@DOM.CORP ( > x5 ) > > This you see these.. Then > run this to add the cifs keytab. > > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/fs-a.yourdns.domain.tld > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ > > Verify the keytab file > again. > klist -ke > /etc/krb5.keytab2 > > If it all looks good. > > Stop all samba service > rm /etc/krb5.keytab .. ( > a backupfile is made if you followed above ) > mv /etc/krb5.keytab2 > /etc/krb5.keytab > > > That "should" do the > trick.. > > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk > bericht----- > > Van: samba [mailto: > samba-bounces at lists.samba.org] Namens > > banda bassotti via samba > > Verzonden: dinsdag 5 > november 2019 9:49 > > Aan: Rowland penny > > CC: sambalist > > Onderwerp: Re: [Samba] > Failed to find cifs/fs-share at dom.corp > > (kvno 109) in keytab > > > > hi, nothing to do, > despite having set winbind not to change > > the machine > > password the behavior is > the same. I do not know what to do. > > other ideas? > > > > thnx. > > > > Il giorno mar 29 ott > 2019 alle ore 11:37 banda bassotti < > > bandabasotti at gmail.com> > ha scritto: > > > > > Hi, the problem seems > to be related to this bug: > > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=6750 > > > > > > I try therefore to set > > > > > > machine password > timeout = 0 > > > > > > > > > > > > Il giorno mar 29 ott > 2019 alle ore 11:11 Rowland penny via samba < > > > samba at lists.samba.org> > ha scritto: > > > > > >> On 29/10/2019 10:04, > banda bassotti wrote: > > >> > I had already done > it: > > >> > > > >> > # samba-tool spn > list newsamba\$ > > >> > newsamba$ > > >> > User > CN=newsamba,CN=Computers,DC=domain,DC=corp has the following > > >> > > servicePrincipalName: > > >> > > HOST/NEWSAMBA > > >> > > HOST/newsamba.domain.corp > > >> > > cifs/oldsamba at DOMAIN.CORP > > >> > > cifs/oldsamba.domain.corp at DOMAIN.CORP > > >> > > >> From your log > fragment, it appears to be looking for > > >> > 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will > > probably have to > > >> remove the lowercase > version SPN and replace it with the uppercase > > >> version. > > >> > > >> Rowland > > >> > > >> > > >> > > >> -- > > >> To unsubscribe from > this list go to the following URL and read the > > >> instructions: > https://lists.samba.org/mailman/options/samba > > >> > > > > > -- > > To unsubscribe from this > list go to the following URL and read the > > instructions: > https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2019-Nov-05 15:55 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Hai,> > Change this one. > > /etc/hosts > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # > new/correct > > Or > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct > No, none of them are correctNo, Rowland, your really wrong here. ( i dont say that often.. ) :-p But i give you the doubt, once.. ;-), so show me why that is incorrect..> > > > Here i personaly preffer : > > 10.0.0.2 fs-a.dom.corp fs-a > But that is.All examples i showed are correct, how people use it, is up to them. I show why i say it is correct. what i showed complies with RFC's. https://tools.ietf.org/html/rfc952 https://tools.ietf.org/html/rfc1123 And handy to know. https://support.microsoft.com/en-us/help/2269810/microsoft-support-for-single-label-domains Format is : IP FQDN ALIAS (Optional other Aliasses.) I have things like this. IP hostn1.domain1.tld hostn1 somenamehere.completlydiffernt.tld somenamehere whatever.dom.tld And All work fine with kerberos any alias.. because i have 1 IP for 1 hostname and 1 PTR. All other things, are CNAMES in DNS and if only used locally on the server then i have it in /etc/hosts.> > > > Why is this used : getwd cache = yes ? > > For my understanding, i think you can remove it, because > this is should be handled differently in samba4. > Yes, it should be removed, but only because it is a default setting.Ok, that confirms what i saw, in some old list mails. (somehere 2012)> > Which ofcourse defaults to FILE:/etc/krb5.keytab > I was trying show that a keytab was being created but not used.Ahh.. And i created a keytab for him that did not overwrite his original keytab.. And in the other mails you missed the mv /etc/krb5.keytab2 /etc/krb5.keytab ;-)> > > > > >>> Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > >>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > >> Then something reads the keytab in memory and cannot find the > >> required SPN, or to put it another way, whatever is trying > to find the > >> SPN isn't reading the keytab you created above, it is > reading the one in memory. > > Ok, this part above, yes, your right, its reading in > memory, but to my believe, > > From: kerberos method = secrets and keytab, and as far i > know "secrets" = MEMORY> Sorry but no, 'secrets' = secrets.tdb (unless this is something else > wrong in the smb.conf manpage)Ok, so then we need a reboot of that server, that clears the memory then, correct? But after a reboot.. Its still there because its in secrets.tdb which might be use in memory, We can ask that @ one off the other devs.> > but ask youself, why is it using the "oldsamba" name if he > is using oldsamba as aliasname. > > Thats the key here, so conclusion resolving > problems/incorrectly setup. > > > > So there for im saying. ( typed this before i got the > script output ). > > OLDSAMBA is still in /etc/hosts but before the newHostname > > Or it still has a dns A record. > > Or samba is also using the Netbios Alias names while > creating keytab entries. > > ... And this, should in my opinion not happen, so lets > wait what comes back. > > AND his keytab file is still incorrectly setup. > > > > And as i saw in the debug script output, i betting now on > /etc/hosts that needs fixing. > > This is quite possibly a DNS problem, my gut feeling is to leave the > domain, clean everything up and then rejoin, hopefully this > will fix things.Yes, that is the last option AFTER the DNS/resolving fixes. So what is the output of : tdbdump secrets.tdb (apt-get install tdb-tools) I'll be entry is there. Of an other simple test, this part. kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab Change that to kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab That removes the use of secrets.tdb ! Stop/start samba, dont restart.. And try again. Greetz, Louis
banda bassotti
2019-Nov-05 15:56 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Luis, Rowland I'v found the problem, I feel like an idiot: 1) for making you lose all this time 2) because I have not checked before the oldsamba machine account was still present on the domain controllers :( sorry :( Il giorno mar 5 nov 2019 alle ore 16:36 banda bassotti < bandabasotti at gmail.com> ha scritto:> Luis, my typos, I'v to mask the output sorry (compliance) > > # su - testuser > $ smbclient --option='client min protocol=NT1' -U testuser > //oldsamba/testuser -c 'ls' > Unable to initialize messaging context > Enter DOM\testuser's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > [2019/11/05 15:50:50.009481, 1] > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > [2019/11/05 15:50:50.009564, 1] > ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT > content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > > the same test from windows machine fail with user credential request. > > $ host oldsamba > oldsamba.dom.corp is an alias for fs-a.dom.corp. > fs-a.dom.corp has address 10.0.0.2 > > $ head /etc/hosts > 127.0.0.1 localhost > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba > > I accepted your suggestions and modified smb.conf accordingly, thanks. > > Il giorno mar 5 nov 2019 alle ore 15:43 L.P.H. van Belle via samba < > samba at lists.samba.org> ha scritto: > >> Ok, >> >> Your keytab looks ok now. >> >> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. >> fs-a.dom.corp has address 10.0.0.2 >> >> i would have expected here. >> oldsamba.dom.corp is an alias for fs-a.dom.corp. >> fs-a.dom.corp has address 10.0.0.2 >> >> Or was that a typo? I assuming a typo.. >> >> About your setup from the script outpout. >> >> Change this one. >> /etc/hosts >> 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong >> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct >> Or >> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct >> >> Here i personaly preffer : >> 10.0.0.2 fs-a.dom.corp fs-a >> >> And add the cname to the DNS. >> >> Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry) >> >> ALIAS, if you use a "single lable" alias-name, as in, only the >> hostname-alias without the domain part. >> Then that hostname can/should only be use on the server, because, its >> missing the domain part. >> >> I do the same here, this is how i use it. ( from a 4.11.2 member to a .. >> yes 3.6.x server, i still have one running.. :-/ >> smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls' >> -k wont work here, dont ask why, that i dont know. >> >> To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls' >> >> /etc/samba/smb.conf >> You can remove, these after testing, or set to no and use getent >> passwd/group username/groupname if you want to see the groups. >> winbind enum groups = yes >> winbind enum users = yes >> >> Why is this used : getwd cache = yes ? >> For my understanding, i think you can remove it, because this is should >> be handled differently in samba4. >> >> Your allowing : usershare allow guests = yes >> but you disable the share location : usershare path >> or use it or disabled it, now its?? you tell me.. ;-) . >> >> but beside above points your setup looks pretty good. >> >> @Rowland, >> This might help you understanding my responce on this one. >> >> > You are creating a keytab, which may or may not be called >> /etc/krb5.keytab2 >> >> ^^^^^^^^ was only used to not accidently destroy his old keytab file. >> But since its replaced anyway now. >> >> Ps, keytab name is not significant. >> What is significantis, what is set for : default_keytab_name in krb5.conf >> Which ofcourse defaults to FILE:/etc/krb5.keytab >> >> >> > > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab >> > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> > >> > Then something reads the keytab in memory and cannot find the >> > required SPN, or to put it another way, whatever is trying to find the >> > SPN isn't reading the keytab you created above, it is reading the one >> in memory. >> >> Ok, this part above, yes, your right, its reading in memory, but to my >> believe, >> From: kerberos method = secrets and keytab, and as far i know "secrets" >> = MEMORY >> but ask youself, why is it using the "oldsamba" name if he is using >> oldsamba as aliasname. >> Thats the key here, so conclusion resolving problems/incorrectly setup. >> >> So there for im saying. ( typed this before i got the script output ). >> OLDSAMBA is still in /etc/hosts but before the newHostname >> Or it still has a dns A record. >> Or samba is also using the Netbios Alias names while creating keytab >> entries. >> ... And this, should in my opinion not happen, so lets wait what comes >> back. >> AND his keytab file is still incorrectly setup. >> >> And as i saw in the debug script output, i betting now on /etc/hosts that >> needs fixing. >> >> Resume. >> >> Change : /etc/hosts >> # this line to : >> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp >> #Or >> 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS. >> >> Reboot the server or "stop/start" samba ( dont restart ) ! >> >> Verify the hostname-alias >> hosts oldhostname.dom.corp >> hosts oldhostname >> >> And try again. >> >> >> Greetz, >> >> Louis >> >> >> >> >> ________________________________ >> >> Van: banda bassotti [mailto:bandabasotti at gmail.com] >> Verzonden: dinsdag 5 november 2019 14:49 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp >> (kvno 109) in keytab >> >> >> systemctl stop nmbd smbd winbind >> rm -f /etc/krb5.keyatb* >> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P >> net ads keytab create cifs/$(hostname -f) >> klist -ke /etc/krb5.keytab | sort >> >> ---- >> -------------------------------------------------------------------------- >> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP (arcfour-hmac) >> 7 cifs/FS-A at DOM.CORP (des-cbc-crc) >> 7 cifs/FS-A at DOM.CORP (des-cbc-md5) >> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP (arcfour-hmac) >> 7 FS-A$@DOM.CORP (des-cbc-crc) >> 7 FS-A$@DOM.CORP (des-cbc-md5) >> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP (arcfour-hmac) >> 7 host/FS-A at DOM.CORP (des-cbc-crc) >> 7 host/FS-A at DOM.CORP (des-cbc-md5) >> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> >> >> systemctl start nmbd smbd winbind >> >> # host oldsamba >> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. >> fs-a.dom.corp has address 10.0.0.2 >> >> >> $ kinit testuser >> $ smbclient //oldsamba/testuser -k -c 'ls' >> Unable to initialize messaging context >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> [2019/11/05 14:32:18.863122, 1] >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ Miscellaneous failure (see >> text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> [2019/11/05 14:32:18.863192, 1] >> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) >> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing >> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE >> >> >> attached the samba-debug-info.txt >> >> Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle < >> belle at bazuin.nl> ha scritto: >> >> >> Hai, >> >> Nope.. To much again ;-) >> >> This is one step to much: >> step2: >> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >> cifs/oldsamba.dom.corp at DOM.CORP >> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >> cifs/oldsamba at DOM.CORP >> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >> cifs/oldsamba$@DOM.CORP >> >> And why are you adding @REALM .. Do it exactly as shown >> below. >> >> Because a CNAME resolves to the REAL hostname it's A >> record, then Kerberos used the A of the real hostname and (might) verify >> the PTR also. >> >> So again and exactly as show, because your "Default >> realm" is used automaticly. >> >> kinit Administrator >> *(you see here: Password for Administrator at REALM: ) >> >> stop samba and related services. >> >> rm /etc/krb5.keytab2 >> rm /etc/krb5.keytab >> >> # i change the keytab to the needed name >> (/etc/krb5.keytab) >> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P >> >> net ads keytab create cifs/$(hostname -f) >> >> Verify the output. >> klist -ke /etc/krb5.keytab | sort >> >> If you see the ALIAS hostname "oldsamba" again in the >> keytab file. >> Then removed from smb.conf : >> >> netbios aliases = OLDSAMBA >> >> Verify the DNS and make sure your realhostname does have >> the A and PTR records set. >> And remove all A/PTR related records to OLDSAMBA. >> Add the CNAME for OLDSAMBA and point to the realhostname. >> >> Restart samba, repeat above. >> >> Still failing.. >> Then get this script: >> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh >> Run it, anonymize it and post the output. >> >> >> Greetz, >> >> Louis >> >> >> >> ________________________________ >> >> Van: banda bassotti [mailto: >> bandabasotti at gmail.com] >> Verzonden: dinsdag 5 november 2019 13:18 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Failed to find >> cifs/fs-share at dom.corp (kvno 109) in keytab >> >> >> Luis, ok I'v removed everything, step 1: >> >> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab >> CREATE -P >> >> klist -ke /etc/krb5.keytab2|grep 7|sort >> >> >> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP (arcfour-hmac) >> 7 cifs/FS-A at DOM.CORP (des-cbc-crc) >> 7 cifs/FS-A at DOM.CORP (des-cbc-md5) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP (arcfour-hmac) >> 7 FS-A$@DOM.CORP (des-cbc-crc) >> 7 FS-A$@DOM.CORP (des-cbc-md5) >> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP (arcfour-hmac) >> 7 host/FS-A at DOM.CORP (des-cbc-crc) >> 7 host/FS-A at DOM.CORP (des-cbc-md5) >> 7 host/fs-a.dom.corp at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >> >> >> >> step2: >> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads >> keytab ADD cifs/oldsamba.dom.corp at DOM.CORP >> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads >> keytab ADD cifs/oldsamba at DOM.CORP >> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads >> keytab ADD cifs/oldsamba$@DOM.CORP >> >> >> klist >> >> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP (arcfour-hmac) >> 7 cifs/FS-A at DOM.CORP (des-cbc-crc) >> 7 cifs/FS-A at DOM.CORP (des-cbc-md5) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >> 7 cifs/oldsamba$@DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/oldsamba$@DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac) >> 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc) >> 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5) >> 7 cifs/oldsamba at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/oldsamba at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/oldsamba at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/oldsamba at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) >> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) >> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) >> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) >> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) >> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) >> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP (arcfour-hmac) >> 7 FS-A$@DOM.CORP (des-cbc-crc) >> 7 FS-A$@DOM.CORP (des-cbc-md5) >> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP (arcfour-hmac) >> 7 host/FS-A at DOM.CORP (des-cbc-crc) >> 7 host/FS-A at DOM.CORP (des-cbc-md5) >> 7 host/fs-a.dom.corp at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >> >> >> systemctl start nmbd smbd winbind >> >> test from windows machine: >> >> [2019/11/05 13:14:49.108879, 1] >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ >> Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno >> 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> >> >> Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. >> van Belle <belle at bazuin.nl> ha scritto: >> >> >> Ok, you did to much as far i can tell. >> >> You want to see this: i'll show my >> output, then i is better to see what i mean. >> >> this is where you start with. >> klist -ke |sort ( default member ) >> ---- >> -------------------------------------------------------------------------- >> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >> (aes128-cts-hmac-sha1-96) >> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >> (aes256-cts-hmac-sha1-96) >> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >> (arcfour-hmac) >> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >> (des-cbc-crc) >> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >> (des-cbc-md5) >> 3 >> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD >> (aes128-cts-hmac-sha1-96) >> 3 >> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD >> (aes256-cts-hmac-sha1-96) >> 3 >> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) >> 3 >> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) >> 3 >> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) >> 3 HOSTNAME1$@REALM.DOMAIN.TLD >> (aes128-cts-hmac-sha1-96) >> 3 HOSTNAME1$@REALM.DOMAIN.TLD >> (aes256-cts-hmac-sha1-96) >> 3 HOSTNAME1$@REALM.DOMAIN.TLD >> (arcfour-hmac) >> 3 HOSTNAME1$@REALM.DOMAIN.TLD >> (des-cbc-crc) >> 3 HOSTNAME1$@REALM.DOMAIN.TLD >> (des-cbc-md5) >> >> In my case. my servers "real" name is >> hostname1 and i have an alias, lets say mycrazyserver >> >> /etc/hosts >> 127.0.0.1 localhost >> 192.168.0.1 >> hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld >> Host format: >> IP REAL_HOSTNAME_FQDN ALIAS ALIAS >> >> Note, adding >> mycrazyserver.internal.domain.tld should not be needed, because that is >> resolved through dns. >> >> ping mycrazyserver.internal.domain.tld >> will respond its reply with hostname1.internal.domain.tld hostname1 >> >> If you add CIFS to you keytab you want to >> see : >> 3 >> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD >> (aes128-cts-hmac-sha1-96) >> 3 >> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD >> (aes256-cts-hmac-sha1-96) >> 3 >> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) >> 3 >> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) >> 3 >> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) >> ( + whats above ) >> >> Thats it.. >> >> So you output should look like this. >> >> 7 cifs/FS-A at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP >> (arcfour-hmac) >> 7 cifs/FS-A at DOM.CORP (des-cbc-crc) >> 7 cifs/FS-A at DOM.CORP (des-cbc-md5) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (arcfour-hmac) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (des-cbc-crc) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (des-cbc-md5) >> 7 FS-A$@DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP (arcfour-hmac) >> 7 FS-A$@DOM.CORP (des-cbc-crc) >> 7 FS-A$@DOM.CORP (des-cbc-md5) >> 7 host/FS-A at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP >> (aes128-cts-hmac-sha1-96) < double = wrong >> 7 host/FS-A at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP >> (aes256-cts-hmac-sha1-96) < double = wrong >> 7 host/FS-A at DOM.CORP >> (arcfour-hmac) >> 7 host/FS-A at DOM.CORP >> (arcfour-hmac) < double = wrong >> 7 host/FS-A at DOM.CORP (des-cbc-crc) >> 7 host/FS-A at DOM.CORP >> (des-cbc-crc) < double = wrong >> 7 host/FS-A at DOM.CORP (des-cbc-md5) >> 7 host/FS-A at DOM.CORP >> (des-cbc-md5) < double = wrong >> 7 host/fs-a.dom.corp at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP >> (arcfour-hmac) >> 7 host/fs-a.dom.corp at DOM.CORP >> (des-cbc-crc) >> 7 host/fs-a.dom.corp at DOM.CORP >> (des-cbc-md5) >> >> >> So try again. ;-) >> >> Greetz, >> >> Louis >> >> >> >> >> >> ________________________________ >> >> Van: banda bassotti [mailto: >> bandabasotti at gmail.com] >> Verzonden: dinsdag 5 november >> 2019 12:06 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] Failed to >> find cifs/fs-share at dom.corp (kvno 109) in keytab >> >> >> Luis, thank you very much, I >> followed the procedure step by step (which I had already done) but >> unfortunately I always have the same error: >> >> >> [2019/11/05 11:49:47.748159, 1] >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >> >> gss_accept_sec_context failed >> with [ Miscellaneous failure (see text): Failed to find >> cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab >> (arcfour-hmac-md5)] >> >> >> please pay attention to (kvno >> 113) the problem is here and not the keytab file. >> >> >> klist -ke /etc/krb5.keyatb >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 7 host/fs-a.dom.corp at DOM.CORP >> (des-cbc-crc) >> 7 host/FS-A at DOM.CORP >> (des-cbc-crc) >> 7 host/fs-a.dom.corp at DOM.CORP >> (des-cbc-md5) >> 7 host/FS-A at DOM.CORP >> (des-cbc-md5) >> 7 host/fs-a.dom.corp at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 host/fs-a.dom.corp at DOM.CORP >> (arcfour-hmac) >> 7 host/FS-A at DOM.CORP >> (arcfour-hmac) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (des-cbc-crc) >> 7 cifs/FS-A at DOM.CORP >> (des-cbc-crc) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (des-cbc-md5) >> 7 cifs/FS-A at DOM.CORP >> (des-cbc-md5) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/FS-A at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/fs-a.dom.corp at DOM.CORP >> (arcfour-hmac) >> 7 cifs/FS-A at DOM.CORP >> (arcfour-hmac) >> 7 FS-A$@DOM.CORP (des-cbc-crc) >> 7 FS-A$@DOM.CORP (des-cbc-md5) >> 7 FS-A$@DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 FS-A$@DOM.CORP (arcfour-hmac) >> 7 host/FS-A at DOM.CORP >> (des-cbc-crc) >> 7 host/FS-A at DOM.CORP >> (des-cbc-md5) >> 7 host/FS-A at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 host/FS-A at DOM.CORP >> (arcfour-hmac) >> 7 cifs/oldsamba at DOM.CORP >> (des-cbc-crc) >> 7 cifs/oldsamba at DOM.CORP >> (des-cbc-md5) >> 7 cifs/oldsamba at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/oldsamba at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/oldsamba at DOM.CORP >> (arcfour-hmac) >> 7 cifs/oldsamba at DOM.CORP >> (des-cbc-crc) >> 7 cifs/oldsamba at DOM.CORP >> (des-cbc-md5) >> 7 cifs/oldsamba at DOM.CORP >> (aes128-cts-hmac-sha1-96) >> 7 cifs/oldsamba at DOM.CORP >> (aes256-cts-hmac-sha1-96) >> 7 cifs/oldsamba at DOM.CORP >> (arcfour-hmac) >> >> >> to temporary solve this problem I >> must extract the keytab of the oldsamba from the domain controller and >> import with ktutil: >> >> # ktutil >> ktutil: rkt oldsamba.keytab >> ktutil: l >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 112 >> cifs/oldsamba at DOM.CORP >> 2 112 >> cifs/oldsamba at DOM.CORP >> 3 112 >> cifs/oldsamba at DOM.CORP >> 4 113 >> cifs/oldsamba at DOM.CORP >> 5 113 >> cifs/oldsamba at DOM.CORP >> 6 113 >> cifs/oldsamba at DOM.CORP >> >> >> please note the kvno column. >> >> >> Il giorno mar 5 nov 2019 alle ore >> 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto: >> >> >> Hai, >> >> I've re-read you thread, >> and there are a few things going-on.. >> I suggest you do the >> following.. >> >> Change these. >> >> /etc/krb5.conf >> [libdefaults] >> default_realm = DOM.CORP >> dns_lookup_kdc = true >> dns_lookup_realm = false >> forwardable = true >> proxiable = true >> kdc_timesync = 1 >> debug = false >> >> >> /etc/samba/smb.conf >> [Global] >> workgroup = WG1 >> realm = DOM.CORP >> # Netbios names in >> CAPS, see.. >> # >> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx >> # >> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and >> # Verify in DNS the >> following, A - PTR records for netbios name, setup CNAME for all >> alias-names, >> # point CNAME to the A >> record if which the PTR also exists.. >> netbios name = FS-A >> netbios aliases >> OLDSAMBA >> security = ADS >> # >> kerberos method >> secrets and keytab >> dedicated keytab file >> = /etc/krb5.keytab >> # renew the kerberos >> ticket >> winbind refresh >> tickets = yes >> >> >> ON THIS MEMBER... ( you >> dont run : samba-tool spn list ..... ) >> You run : net ads keytab >> >> cp >> /etc/krb5.keytab{,.backup} >> kinit Administrator >> >> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P >> >> Verify this keytab. >> klist -ke >> /etc/krb5.keytab2 >> >> You want to see : >> host/NETBIOSNAME at DOM.CORP >> ( x5 ) >> >> host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) >> NETBIOSNAME$@DOM.CORP ( >> x5 ) >> >> This you see these.. >> Then run this to add the cifs keytab. >> >> >> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >> cifs/fs-a.yourdns.domain.tld >> >> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ >> >> Verify the keytab file >> again. >> klist -ke >> /etc/krb5.keytab2 >> >> If it all looks good. >> >> Stop all samba service >> rm /etc/krb5.keytab .. ( >> a backupfile is made if you followed above ) >> mv /etc/krb5.keytab2 >> /etc/krb5.keytab >> >> >> That "should" do the >> trick.. >> >> >> >> Greetz, >> >> Louis >> >> >> >> >> > -----Oorspronkelijk >> bericht----- >> > Van: samba [mailto: >> samba-bounces at lists.samba.org] Namens >> > banda bassotti via samba >> > Verzonden: dinsdag 5 >> november 2019 9:49 >> > Aan: Rowland penny >> > CC: sambalist >> > Onderwerp: Re: [Samba] >> Failed to find cifs/fs-share at dom.corp >> > (kvno 109) in keytab >> > >> > hi, nothing to do, >> despite having set winbind not to change >> > the machine >> > password the behavior >> is the same. I do not know what to do. >> > other ideas? >> > >> > thnx. >> > >> > Il giorno mar 29 ott >> 2019 alle ore 11:37 banda bassotti < >> > bandabasotti at gmail.com> >> ha scritto: >> > >> > > Hi, the problem seems >> to be related to this bug: >> > > >> > > >> https://bugzilla.samba.org/show_bug.cgi?id=6750 >> > > >> > > I try therefore to set >> > > >> > > machine password >> timeout = 0 >> > > >> > > >> > > >> > > Il giorno mar 29 ott >> 2019 alle ore 11:11 Rowland penny via samba < >> > > samba at lists.samba.org> >> ha scritto: >> > > >> > >> On 29/10/2019 10:04, >> banda bassotti wrote: >> > >> > I had already done >> it: >> > >> > >> > >> > # samba-tool spn >> list newsamba\$ >> > >> > newsamba$ >> > >> > User >> CN=newsamba,CN=Computers,DC=domain,DC=corp has the following >> > >> > >> servicePrincipalName: >> > >> > >> HOST/NEWSAMBA >> > >> > >> HOST/newsamba.domain.corp >> > >> > >> cifs/oldsamba at DOMAIN.CORP >> > >> > >> cifs/oldsamba.domain.corp at DOMAIN.CORP >> > >> >> > >> From your log >> fragment, it appears to be looking for >> > >> >> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will >> > probably have to >> > >> remove the lowercase >> version SPN and replace it with the uppercase >> > >> version. >> > >> >> > >> Rowland >> > >> >> > >> >> > >> >> > >> -- >> > >> To unsubscribe from >> this list go to the following URL and read the >> > >> instructions: >> https://lists.samba.org/mailman/options/samba >> > >> >> > > >> > -- >> > To unsubscribe from >> this list go to the following URL and read the >> > instructions: >> https://lists.samba.org/mailman/options/samba >> > >> > >> >> >> >> >> >> >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Rowland penny
2019-Nov-05 16:05 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
On 05/11/2019 15:55, L.P.H. van Belle via samba wrote:> Hai, > >>> Change this one. >>> /etc/hosts >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # >> new/correct >>> Or >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct >> No, none of them are correct > No, Rowland, your really wrong here. ( i dont say that often.. ) :-p > But i give you the doubt, once.. ;-), so show me why that is incorrect.. > >>> Here i personaly preffer : >>> 10.0.0.2 fs-a.dom.corp fs-a >> But that is. > All examples i showed are correct, how people use it, is up to them. > I show why i say it is correct. what i showed complies with RFC's. > https://tools.ietf.org/html/rfc952 > https://tools.ietf.org/html/rfc1123 > > And handy to know. > https://support.microsoft.com/en-us/help/2269810/microsoft-support-for-single-label-domains > > Format is : > IP FQDN ALIAS (Optional other Aliasses.) > > I have things like this. > IP hostn1.domain1.tld hostn1 somenamehere.completlydiffernt.tld somenamehere whatever.dom.tld > > And All work fine with kerberos any alias.. because i have 1 IP for 1 hostname and 1 PTR. > All other things, are CNAMES in DNS and if only used locally on the server then i have it in /etc/hosts.Yes, if you are just using /etc/hosts , but AD uses dns and the dns version of 'alias' is CNAME Rowland
banda bassotti
2019-Nov-05 16:10 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
samba-tool computer remove oldsamba Il giorno mar 5 nov 2019 alle ore 17:04 L.P.H. van Belle <belle at bazuin.nl> ha scritto:> Hai, > > Well that great you found it. > > Ah.. so you removed the entry from the DNS or ADDB? > Can you tell what you exactly did, that might help the next person with a > problem like this. > > And not many list messages today.. ;-) so no worries.. > > I suspect you removed the old account name from OU=Computers, because.. > (And my fault here was not to check that sooner.. ) > > if you use an call what needs SPN, it looks it up in AD and DNS. > First DNS then ADDB and I only focused on DNS.. :-/ while the XXXX/spn > entries are in COMPUTERNAME$ in ADDB.. > > One to remember... and yes, this should be found quicker. > > > Greetz, > > Louis > > > ------------------------------ > *Van:* banda bassotti [mailto:bandabasotti at gmail.com] > *Verzonden:* dinsdag 5 november 2019 16:56 > *Aan:* L.P.H. van Belle > *CC:* samba at lists.samba.org > *Onderwerp:* Re: [Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) > in keytab > > Luis, Rowland I'v found the problem, I feel like an idiot: > > 1) for making you lose all this time > 2) because I have not checked before > > the oldsamba machine account was still present on the domain controllers :( > > sorry :( > > Il giorno mar 5 nov 2019 alle ore 16:36 banda bassotti < > bandabasotti at gmail.com> ha scritto: > >> Luis, my typos, I'v to mask the output sorry (compliance) >> >> # su - testuser >> $ smbclient --option='client min protocol=NT1' -U testuser >> //oldsamba/testuser -c 'ls' >> Unable to initialize messaging context >> Enter DOM\testuser's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> [2019/11/05 15:50:50.009481, 1] >> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ Miscellaneous failure (see text): >> Failed to find cifs/stcomune at COMUNE.PADOVA.IT(kvno 113) in keytab >> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >> [2019/11/05 15:50:50.009564, 1] >> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) >> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing >> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE >> >> the same test from windows machine fail with user credential request. >> >> $ host oldsamba >> oldsamba.dom.corp is an alias for fs-a.dom.corp. >> fs-a.dom.corp has address 10.0.0.2 >> >> $ head /etc/hosts >> 127.0.0.1 localhost >> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba >> >> I accepted your suggestions and modified smb.conf accordingly, thanks. >> >> Il giorno mar 5 nov 2019 alle ore 15:43 L.P.H. van Belle via samba < >> samba at lists.samba.org> ha scritto: >> >>> Ok, >>> >>> Your keytab looks ok now. >>> >>> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. >>> fs-a.dom.corp has address 10.0.0.2 >>> >>> i would have expected here. >>> oldsamba.dom.corp is an alias for fs-a.dom.corp. >>> fs-a.dom.corp has address 10.0.0.2 >>> >>> Or was that a typo? I assuming a typo.. >>> >>> About your setup from the script outpout. >>> >>> Change this one. >>> /etc/hosts >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # new/correct >>> Or >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct >>> >>> Here i personaly preffer : >>> 10.0.0.2 fs-a.dom.corp fs-a >>> >>> And add the cname to the DNS. >>> >>> Why.. IP ALIAS1 ALIAS2.. Etc.. , but what i didnt tell before.. (sorry) >>> >>> ALIAS, if you use a "single lable" alias-name, as in, only the >>> hostname-alias without the domain part. >>> Then that hostname can/should only be use on the server, because, its >>> missing the domain part. >>> >>> I do the same here, this is how i use it. ( from a 4.11.2 member to a >>> .. yes 3.6.x server, i still have one running.. :-/ >>> smbclient --option='client min protocol=NT1' //oldsamba/sharename -c 'ls' >>> -k wont work here, dont ask why, that i dont know. >>> >>> To a 4.8+ member i use : smbclient //somealias/sharename -c 'ls' >>> >>> /etc/samba/smb.conf >>> You can remove, these after testing, or set to no and use getent >>> passwd/group username/groupname if you want to see the groups. >>> winbind enum groups = yes >>> winbind enum users = yes >>> >>> Why is this used : getwd cache = yes ? >>> For my understanding, i think you can remove it, because this is should >>> be handled differently in samba4. >>> >>> Your allowing : usershare allow guests = yes >>> but you disable the share location : usershare path >>> or use it or disabled it, now its?? you tell me.. ;-) . >>> >>> but beside above points your setup looks pretty good. >>> >>> @Rowland, >>> This might help you understanding my responce on this one. >>> >>> > You are creating a keytab, which may or may not be called >>> /etc/krb5.keytab2 >>> >>> ^^^^^^^^ was only used to not accidently destroy his old keytab file. >>> But since its replaced anyway now. >>> >>> Ps, keytab name is not significant. >>> What is significantis, what is set for : default_keytab_name in >>> krb5.conf >>> Which ofcourse defaults to FILE:/etc/krb5.keytab >>> >>> >>> > > Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab >>> > > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >>> > >>> > Then something reads the keytab in memory and cannot find the >>> > required SPN, or to put it another way, whatever is trying to find the >>> > SPN isn't reading the keytab you created above, it is reading the one >>> in memory. >>> >>> Ok, this part above, yes, your right, its reading in memory, but to my >>> believe, >>> From: kerberos method = secrets and keytab, and as far i know >>> "secrets" = MEMORY >>> but ask youself, why is it using the "oldsamba" name if he is using >>> oldsamba as aliasname. >>> Thats the key here, so conclusion resolving problems/incorrectly setup. >>> >>> So there for im saying. ( typed this before i got the script output ). >>> OLDSAMBA is still in /etc/hosts but before the newHostname >>> Or it still has a dns A record. >>> Or samba is also using the Netbios Alias names while creating keytab >>> entries. >>> ... And this, should in my opinion not happen, so lets wait what >>> comes back. >>> AND his keytab file is still incorrectly setup. >>> >>> And as i saw in the debug script output, i betting now on /etc/hosts >>> that needs fixing. >>> >>> Resume. >>> >>> Change : /etc/hosts >>> # this line to : >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp >>> #Or >>> 10.0.0.2 fs-a.dom.corp fs-a # preffered, and setup CNAME in DNS. >>> >>> Reboot the server or "stop/start" samba ( dont restart ) ! >>> >>> Verify the hostname-alias >>> hosts oldhostname.dom.corp >>> hosts oldhostname >>> >>> And try again. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>> ________________________________ >>> >>> Van: banda bassotti [mailto:bandabasotti at gmail.com] >>> Verzonden: dinsdag 5 november 2019 14:49 >>> Aan: L.P.H. van Belle >>> CC: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp >>> (kvno 109) in keytab >>> >>> >>> systemctl stop nmbd smbd winbind >>> rm -f /etc/krb5.keyatb* >>> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P >>> net ads keytab create cifs/$(hostname -f) >>> klist -ke /etc/krb5.keytab | sort >>> >>> ---- >>> -------------------------------------------------------------------------- >>> 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac) >>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc) >>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP (arcfour-hmac) >>> 7 FS-A$@DOM.CORP (des-cbc-crc) >>> 7 FS-A$@DOM.CORP (des-cbc-md5) >>> 7 host/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP (arcfour-hmac) >>> 7 host/FS-A at DOM.CORP (des-cbc-crc) >>> 7 host/FS-A at DOM.CORP (des-cbc-md5) >>> 7 host/fs-a.dom.corp at DOM.CORP (aes128-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP (aes256-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >>> Keytab name: FILE:/etc/krb5.keytab >>> KVNO Principal >>> >>> >>> systemctl start nmbd smbd winbind >>> >>> # host oldsamba >>> oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. >>> fs-a.dom.corp has address 10.0.0.2 >>> >>> >>> $ kinit testuser >>> $ smbclient //oldsamba/testuser -k -c 'ls' >>> Unable to initialize messaging context >>> session setup failed: NT_STATUS_LOGON_FAILURE >>> >>> >>> [2019/11/05 14:32:18.863122, 1] >>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >>> gss_accept_sec_context failed with [ Miscellaneous failure >>> (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab >>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >>> [2019/11/05 14:32:18.863192, 1] >>> ../../auth/gensec/spnego.c:1244(gensec_spnego_server_negTokenInit_step) >>> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing >>> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE >>> >>> >>> attached the samba-debug-info.txt >>> >>> Il giorno mar 5 nov 2019 alle ore 13:43 L.P.H. van Belle < >>> belle at bazuin.nl> ha scritto: >>> >>> >>> Hai, >>> >>> Nope.. To much again ;-) >>> >>> This is one step to much: >>> step2: >>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >>> cifs/oldsamba.dom.corp at DOM.CORP >>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >>> cifs/oldsamba at DOM.CORP >>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >>> cifs/oldsamba$@DOM.CORP >>> >>> And why are you adding @REALM .. Do it exactly as shown >>> below. >>> >>> Because a CNAME resolves to the REAL hostname it's A >>> record, then Kerberos used the A of the real hostname and (might) verify >>> the PTR also. >>> >>> So again and exactly as show, because your "Default >>> realm" is used automaticly. >>> >>> kinit Administrator >>> *(you see here: Password for Administrator at REALM: ) >>> >>> stop samba and related services. >>> >>> rm /etc/krb5.keytab2 >>> rm /etc/krb5.keytab >>> >>> # i change the keytab to the needed name >>> (/etc/krb5.keytab) >>> KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE >>> -P >>> >>> net ads keytab create cifs/$(hostname -f) >>> >>> Verify the output. >>> klist -ke /etc/krb5.keytab | sort >>> >>> If you see the ALIAS hostname "oldsamba" again in the >>> keytab file. >>> Then removed from smb.conf : >>> >>> netbios aliases = OLDSAMBA >>> >>> Verify the DNS and make sure your realhostname does have >>> the A and PTR records set. >>> And remove all A/PTR related records to OLDSAMBA. >>> Add the CNAME for OLDSAMBA and point to the >>> realhostname. >>> >>> Restart samba, repeat above. >>> >>> Still failing.. >>> Then get this script: >>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh >>> Run it, anonymize it and post the output. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> ________________________________ >>> >>> Van: banda bassotti [mailto: >>> bandabasotti at gmail.com] >>> Verzonden: dinsdag 5 november 2019 13:18 >>> Aan: L.P.H. van Belle >>> CC: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Failed to find >>> cifs/fs-share at dom.corp (kvno 109) in keytab >>> >>> >>> Luis, ok I'v removed everything, step 1: >>> >>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads >>> keytab CREATE -P >>> >>> klist -ke /etc/krb5.keytab2|grep 7|sort >>> >>> >>> 7 cifs/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac) >>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc) >>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP (arcfour-hmac) >>> 7 FS-A$@DOM.CORP (des-cbc-crc) >>> 7 FS-A$@DOM.CORP (des-cbc-md5) >>> 7 host/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP (arcfour-hmac) >>> 7 host/FS-A at DOM.CORP (des-cbc-crc) >>> 7 host/FS-A at DOM.CORP (des-cbc-md5) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >>> >>> >>> >>> step2: >>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads >>> keytab ADD cifs/oldsamba.dom.corp at DOM.CORP >>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads >>> keytab ADD cifs/oldsamba at DOM.CORP >>> # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads >>> keytab ADD cifs/oldsamba$@DOM.CORP >>> >>> >>> klist >>> >>> 7 cifs/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP (arcfour-hmac) >>> 7 cifs/FS-A at DOM.CORP (des-cbc-crc) >>> 7 cifs/FS-A at DOM.CORP (des-cbc-md5) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >>> 7 cifs/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >>> 7 cifs/oldsamba$@DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/oldsamba$@DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/oldsamba$@DOM.CORP (arcfour-hmac) >>> 7 cifs/oldsamba$@DOM.CORP (des-cbc-crc) >>> 7 cifs/oldsamba$@DOM.CORP (des-cbc-md5) >>> 7 cifs/oldsamba at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/oldsamba at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/oldsamba at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/oldsamba at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) >>> 7 cifs/oldsamba at DOM.CORP (arcfour-hmac) >>> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) >>> 7 cifs/oldsamba at DOM.CORP (des-cbc-crc) >>> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) >>> 7 cifs/oldsamba at DOM.CORP (des-cbc-md5) >>> 7 FS-A$@DOM.CORP (aes128-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP (aes256-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP (arcfour-hmac) >>> 7 FS-A$@DOM.CORP (des-cbc-crc) >>> 7 FS-A$@DOM.CORP (des-cbc-md5) >>> 7 host/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP (arcfour-hmac) >>> 7 host/FS-A at DOM.CORP (des-cbc-crc) >>> 7 host/FS-A at DOM.CORP (des-cbc-md5) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP (arcfour-hmac) >>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-crc) >>> 7 host/fs-a.dom.corp at DOM.CORP (des-cbc-md5) >>> >>> >>> systemctl start nmbd smbd winbind >>> >>> test from windows machine: >>> >>> [2019/11/05 13:14:49.108879, 1] >>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >>> gss_accept_sec_context failed with [ >>> Miscellaneous failure (see text): Failed to find cifs/oldsamba at DOM.CORP(kvno >>> 113) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >>> >>> >>> Il giorno mar 5 nov 2019 alle ore 12:40 L.P.H. >>> van Belle <belle at bazuin.nl> ha scritto: >>> >>> >>> Ok, you did to much as far i can tell. >>> >>> You want to see this: i'll show my >>> output, then i is better to see what i mean. >>> >>> this is where you start with. >>> klist -ke |sort ( default member ) >>> ---- >>> -------------------------------------------------------------------------- >>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >>> (aes128-cts-hmac-sha1-96) >>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >>> (aes256-cts-hmac-sha1-96) >>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >>> (arcfour-hmac) >>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >>> (des-cbc-crc) >>> 3 host/HOSTNAME1 at REALM.DOMAIN.TLD >>> (des-cbc-md5) >>> 3 >>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD >>> (aes128-cts-hmac-sha1-96) >>> 3 >>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD >>> (aes256-cts-hmac-sha1-96) >>> 3 >>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) >>> 3 >>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) >>> 3 >>> host/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) >>> 3 HOSTNAME1$@REALM.DOMAIN.TLD >>> (aes128-cts-hmac-sha1-96) >>> 3 HOSTNAME1$@REALM.DOMAIN.TLD >>> (aes256-cts-hmac-sha1-96) >>> 3 HOSTNAME1$@REALM.DOMAIN.TLD >>> (arcfour-hmac) >>> 3 HOSTNAME1$@REALM.DOMAIN.TLD >>> (des-cbc-crc) >>> 3 HOSTNAME1$@REALM.DOMAIN.TLD >>> (des-cbc-md5) >>> >>> In my case. my servers "real" name is >>> hostname1 and i have an alias, lets say mycrazyserver >>> >>> /etc/hosts >>> 127.0.0.1 localhost >>> 192.168.0.1 >>> hostname1.internal.domain.tld hostname1 mycrazyserver.internal.domain.tld >>> Host format: >>> IP REAL_HOSTNAME_FQDN ALIAS ALIAS >>> >>> Note, adding >>> mycrazyserver.internal.domain.tld should not be needed, because that is >>> resolved through dns. >>> >>> ping mycrazyserver.internal.domain.tld >>> will respond its reply with hostname1.internal.domain.tld hostname1 >>> >>> If you add CIFS to you keytab you want >>> to see : >>> 3 >>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD >>> (aes128-cts-hmac-sha1-96) >>> 3 >>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD >>> (aes256-cts-hmac-sha1-96) >>> 3 >>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (arcfour-hmac) >>> 3 >>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-crc) >>> 3 >>> cifs/hostname1.internal.domain.tld at REAL.DOMAIN.TLD (des-cbc-md5) >>> ( + whats above ) >>> >>> Thats it.. >>> >>> So you output should look like this. >>> >>> 7 cifs/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP >>> (arcfour-hmac) >>> 7 cifs/FS-A at DOM.CORP >>> (des-cbc-crc) >>> 7 cifs/FS-A at DOM.CORP >>> (des-cbc-md5) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (arcfour-hmac) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (des-cbc-crc) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (des-cbc-md5) >>> 7 FS-A$@DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP (arcfour-hmac) >>> 7 FS-A$@DOM.CORP (des-cbc-crc) >>> 7 FS-A$@DOM.CORP (des-cbc-md5) >>> 7 host/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) < double = wrong >>> 7 host/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) < double = wrong >>> 7 host/FS-A at DOM.CORP >>> (arcfour-hmac) >>> 7 host/FS-A at DOM.CORP >>> (arcfour-hmac) < double = wrong >>> 7 host/FS-A at DOM.CORP >>> (des-cbc-crc) >>> 7 host/FS-A at DOM.CORP >>> (des-cbc-crc) < double = wrong >>> 7 host/FS-A at DOM.CORP >>> (des-cbc-md5) >>> 7 host/FS-A at DOM.CORP >>> (des-cbc-md5) < double = wrong >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (arcfour-hmac) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (des-cbc-crc) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (des-cbc-md5) >>> >>> >>> So try again. ;-) >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> Van: banda bassotti [mailto: >>> bandabasotti at gmail.com] >>> Verzonden: dinsdag 5 november >>> 2019 12:06 >>> Aan: L.P.H. van Belle >>> CC: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Failed to >>> find cifs/fs-share at dom.corp (kvno 109) in keytab >>> >>> >>> Luis, thank you very much, I >>> followed the procedure step by step (which I had already done) but >>> unfortunately I always have the same error: >>> >>> >>> [2019/11/05 11:49:47.748159, 1] >>> ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) >>> >>> gss_accept_sec_context failed >>> with [ Miscellaneous failure (see text): Failed to find >>> cifs/oldsamba at DOM.CORP(kvno 113) in keytab MEMORY:cifs_srv_keytab >>> (arcfour-hmac-md5)] >>> >>> >>> please pay attention to (kvno >>> 113) the problem is here and not the keytab file. >>> >>> >>> klist -ke /etc/krb5.keyatb >>> Keytab name: >>> FILE:/etc/krb5.keytab >>> KVNO Principal >>> ---- >>> -------------------------------------------------------------------------- >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (des-cbc-crc) >>> 7 host/FS-A at DOM.CORP >>> (des-cbc-crc) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (des-cbc-md5) >>> 7 host/FS-A at DOM.CORP >>> (des-cbc-md5) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/fs-a.dom.corp at DOM.CORP >>> (arcfour-hmac) >>> 7 host/FS-A at DOM.CORP >>> (arcfour-hmac) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (des-cbc-crc) >>> 7 cifs/FS-A at DOM.CORP >>> (des-cbc-crc) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (des-cbc-md5) >>> 7 cifs/FS-A at DOM.CORP >>> (des-cbc-md5) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/fs-a.dom.corp at DOM.CORP >>> (arcfour-hmac) >>> 7 cifs/FS-A at DOM.CORP >>> (arcfour-hmac) >>> 7 FS-A$@DOM.CORP (des-cbc-crc) >>> 7 FS-A$@DOM.CORP (des-cbc-md5) >>> 7 FS-A$@DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 FS-A$@DOM.CORP >>> (arcfour-hmac) >>> 7 host/FS-A at DOM.CORP >>> (des-cbc-crc) >>> 7 host/FS-A at DOM.CORP >>> (des-cbc-md5) >>> 7 host/FS-A at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 host/FS-A at DOM.CORP >>> (arcfour-hmac) >>> 7 cifs/oldsamba at DOM.CORP >>> (des-cbc-crc) >>> 7 cifs/oldsamba at DOM.CORP >>> (des-cbc-md5) >>> 7 cifs/oldsamba at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/oldsamba at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/oldsamba at DOM.CORP >>> (arcfour-hmac) >>> 7 cifs/oldsamba at DOM.CORP >>> (des-cbc-crc) >>> 7 cifs/oldsamba at DOM.CORP >>> (des-cbc-md5) >>> 7 cifs/oldsamba at DOM.CORP >>> (aes128-cts-hmac-sha1-96) >>> 7 cifs/oldsamba at DOM.CORP >>> (aes256-cts-hmac-sha1-96) >>> 7 cifs/oldsamba at DOM.CORP >>> (arcfour-hmac) >>> >>> >>> to temporary solve this problem >>> I must extract the keytab of the oldsamba from the domain controller and >>> import with ktutil: >>> >>> # ktutil >>> ktutil: rkt oldsamba.keytab >>> ktutil: l >>> slot KVNO Principal >>> ---- ---- >>> --------------------------------------------------------------------- >>> 1 112 >>> cifs/oldsamba at DOM.CORP >>> 2 112 >>> cifs/oldsamba at DOM.CORP >>> 3 112 >>> cifs/oldsamba at DOM.CORP >>> 4 113 >>> cifs/oldsamba at DOM.CORP >>> 5 113 >>> cifs/oldsamba at DOM.CORP >>> 6 113 >>> cifs/oldsamba at DOM.CORP >>> >>> >>> please note the kvno column. >>> >>> >>> Il giorno mar 5 nov 2019 alle >>> ore 11:30 L.P.H. van Belle <belle at bazuin.nl> ha scritto: >>> >>> >>> Hai, >>> >>> I've re-read you thread, >>> and there are a few things going-on.. >>> I suggest you do the >>> following.. >>> >>> Change these. >>> >>> /etc/krb5.conf >>> [libdefaults] >>> default_realm >>> DOM.CORP >>> dns_lookup_kdc = true >>> dns_lookup_realm >>> false >>> forwardable = true >>> proxiable = true >>> kdc_timesync = 1 >>> debug = false >>> >>> >>> /etc/samba/smb.conf >>> [Global] >>> workgroup = WG1 >>> realm = DOM.CORP >>> # Netbios names in >>> CAPS, see.. >>> # >>> https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx >>> # >>> https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and >>> # Verify in DNS the >>> following, A - PTR records for netbios name, setup CNAME for all >>> alias-names, >>> # point CNAME to the >>> A record if which the PTR also exists.. >>> netbios name = FS-A >>> netbios aliases >>> OLDSAMBA >>> security = ADS >>> # >>> kerberos method >>> secrets and keytab >>> dedicated keytab file >>> = /etc/krb5.keytab >>> # renew the kerberos >>> ticket >>> winbind refresh >>> tickets = yes >>> >>> >>> ON THIS MEMBER... ( you >>> dont run : samba-tool spn list ..... ) >>> You run : net ads keytab >>> >>> cp >>> /etc/krb5.keytab{,.backup} >>> kinit Administrator >>> >>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P >>> >>> Verify this keytab. >>> klist -ke >>> /etc/krb5.keytab2 >>> >>> You want to see : >>> host/NETBIOSNAME at DOM.CORP >>> ( x5 ) >>> >>> host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) >>> NETBIOSNAME$@DOM.CORP ( >>> x5 ) >>> >>> This you see these.. >>> Then run this to add the cifs keytab. >>> >>> >>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >>> cifs/fs-a.yourdns.domain.tld >>> >>> KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/FS-A$ >>> >>> Verify the keytab file >>> again. >>> klist -ke >>> /etc/krb5.keytab2 >>> >>> If it all looks good. >>> >>> Stop all samba service >>> rm /etc/krb5.keytab .. >>> ( a backupfile is made if you followed above ) >>> mv /etc/krb5.keytab2 >>> /etc/krb5.keytab >>> >>> >>> That "should" do the >>> trick.. >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>> > -----Oorspronkelijk >>> bericht----- >>> > Van: samba [mailto: >>> samba-bounces at lists.samba.org] Namens >>> > banda bassotti via >>> samba >>> > Verzonden: dinsdag 5 >>> november 2019 9:49 >>> > Aan: Rowland penny >>> > CC: sambalist >>> > Onderwerp: Re: [Samba] >>> Failed to find cifs/fs-share at dom.corp >>> > (kvno 109) in keytab >>> > >>> > hi, nothing to do, >>> despite having set winbind not to change >>> > the machine >>> > password the behavior >>> is the same. I do not know what to do. >>> > other ideas? >>> > >>> > thnx. >>> > >>> > Il giorno mar 29 ott >>> 2019 alle ore 11:37 banda bassotti < >>> > bandabasotti at gmail.com> >>> ha scritto: >>> > >>> > > Hi, the problem >>> seems to be related to this bug: >>> > > >>> > > >>> https://bugzilla.samba.org/show_bug.cgi?id=6750 >>> > > >>> > > I try therefore to >>> set >>> > > >>> > > machine password >>> timeout = 0 >>> > > >>> > > >>> > > >>> > > Il giorno mar 29 ott >>> 2019 alle ore 11:11 Rowland penny via samba < >>> > > >>> samba at lists.samba.org> ha scritto: >>> > > >>> > >> On 29/10/2019 >>> 10:04, banda bassotti wrote: >>> > >> > I had already >>> done it: >>> > >> > >>> > >> > # samba-tool spn >>> list newsamba\$ >>> > >> > newsamba$ >>> > >> > User >>> CN=newsamba,CN=Computers,DC=domain,DC=corp has the following >>> > >> > >>> servicePrincipalName: >>> > >> > >>> HOST/NEWSAMBA >>> > >> > >>> HOST/newsamba.domain.corp >>> > >> > >>> cifs/oldsamba at DOMAIN.CORP >>> > >> > >>> cifs/oldsamba.domain.corp at DOMAIN.CORP >>> > >> >>> > >> From your log >>> fragment, it appears to be looking for >>> > >> >>> 'cifs/OLDSAMBA at DOMAIN.CORP', the case matters. You will >>> > probably have to >>> > >> remove the >>> lowercase version SPN and replace it with the uppercase >>> > >> version. >>> > >> >>> > >> Rowland >>> > >> >>> > >> >>> > >> >>> > >> -- >>> > >> To unsubscribe from >>> this list go to the following URL and read the >>> > >> instructions: >>> https://lists.samba.org/mailman/options/samba >>> > >> >>> > > >>> > -- >>> > To unsubscribe from >>> this list go to the following URL and read the >>> > instructions: >>> https://lists.samba.org/mailman/options/samba >>> > >>> > >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>
L.P.H. van Belle
2019-Nov-05 16:39 UTC
[Samba] Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Hai Rowland, I'll explain a bit more on this.> Yes, if you are just using /etc/hosts , but AD uses dns and the dns > version of 'alias' is CNAMENot debating that. But i use everything here, and you can combine that fine, if you know what your doing. If you run : smbclient , what happens than.. You first make a DNS request, that goes through /etc/hosts then is goes to /etc/resolv.conf, then dns is used that order, Then ADDB is used for SPN lookups. This is for example a part of my webserver setup, where i use : internal DNS request (samba DNS) and internet DNS and /etc/hosts on one host All for 1 website, which is looking same if i use a pc in lan, of pc at home (DNS requests) But on the local server, i use an other hostname, for a protected part of that site, only accessable from the server by the server, requests through /etc/hosts only, because that hostname is only in /etc/hosts That works fine, and yes even kerberos works on that hostname because it is just an alias. Resolving does the rest to make it work. What i dont use in my lan... accessing servers by IP, why, because if you only use hostname.(fqdns) 1) protecting it is better done if you setup only with hostname use. 2) if you did something wrong it just wont work. 3) if your setup right, it always works. 4) yeah, it might be a bit slower then using IP, but thats logical because you removed the dns requests.. This is why i hammer on DNS resolving to be correct. And yes, i im 100% agreeing that this : 10.0.0.2 fs-a.dom.corp fs-a Should be the only correct one. There are just to many options.. :-/' Good evening guys and girls, im heading home. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: dinsdag 5 november 2019 17:06 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp > (kvno 109) in keytab > > On 05/11/2019 15:55, L.P.H. van Belle via samba wrote: > > Hai, > > > >>> Change this one. > >>> /etc/hosts > >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong > >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # > >> new/correct > >>> Or > >>> 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct > >> No, none of them are correct > > No, Rowland, your really wrong here. ( i dont say that > often.. ) :-p > > But i give you the doubt, once.. ;-), so show me why that > is incorrect.. > > > >>> Here i personaly preffer : > >>> 10.0.0.2 fs-a.dom.corp fs-a > >> But that is. > > All examples i showed are correct, how people use it, is up to them. > > I show why i say it is correct. what i showed complies with RFC's. > > https://tools.ietf.org/html/rfc952 > > https://tools.ietf.org/html/rfc1123 > > > > And handy to know. > > > https://support.microsoft.com/en-us/help/2269810/microsoft-sup > port-for-single-label-domains > > > > Format is : > > IP FQDN ALIAS (Optional other Aliasses.) > > > > I have things like this. > > IP hostn1.domain1.tld hostn1 > somenamehere.completlydiffernt.tld somenamehere whatever.dom.tld > > > > And All work fine with kerberos any alias.. because i have > 1 IP for 1 hostname and 1 PTR. > > All other things, are CNAMES in DNS and if only used > locally on the server then i have it in /etc/hosts. > > Yes, if you are just using /etc/hosts , but AD uses dns and the dns > version of 'alias' is CNAME > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab