Garcia JR
2020-Jul-14 16:24 UTC
[Samba] Error trying to access samba sharing using netbios name
am getting this error in smbd.log when user try to open Share from Windows
box:
gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/mymember.my.domain.tld at MY.DOMAIN.TLD(kvno 58) in keytab
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
I have made a research here in google and here in mail list before post
this message. I see some similar issues, where the solution seems adding
?cifs/mymember.my.domain.tld at MY.DOMAIN.TLD? to keytab file. In my case, it
was already there, as you can see below.
In error message I see it?s making reference to keno 58, in my keytab it?s
64, not sure if it?s related or not. Is there a way to reset keyfrom
memory? I tried to restart smbd and winbindd, but no luck.
The same shared can be acessed if use ip adress instead
###########################################
smb.conf
###########################################
[global]
netbios name = mymember
server string = File Server in %L
workgroup = accent
security = ADS
realm = MY.DOMAIN.TLD
password server = mad
encrypt passwords = true
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 5000-9999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999
max protocol = SMB2
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind cache time = 60
; misc options
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192
time server = yes
; do not show files starting with dots
hide dot files = yes
; do not allow guest access, use only local system accounts
guest ok = no
; log (tam max log em kB)
log level = 1
#log level = 3 passdb:5 auth:10 winbind:10
log file = /var/log/samba/log.%L
max log size = 10000
debug timestamp = yes
#syslog = 1
remote announce = 192.168.0.0/24 172.16.170.0/24 192.168.150.0/24
172.17.0.0/24
remote browse sync = 192.168.0.0/24 192.168.150.0/24 172.16.170.0/24
172.17.0.0/24
hosts allow = 127.0.0.1 192.168.0.0/24 192.168.150.0/24 172.16.170.0/24
172.17.0.0/24
obey pam restrictions = no
###########################################
## KEY TAB FILE
$ klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-crc)
64 cifs/mymember at MY.DOMAIN.TLD (des-cbc-crc)
64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-md5)
64 cifs/mymember at MY.DOMAIN.TLD (des-cbc-md5)
64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
64 cifs/mymember at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
64 cifs/mymember at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (arcfour-hmac)
64 cifs/mymember at MY.DOMAIN.TLD (arcfour-hmac)
64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-crc)
64 host/mymember at MY.DOMAIN.TLD (des-cbc-crc)
64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-md5)
64 host/mymember at MY.DOMAIN.TLD (des-cbc-md5)
64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
64 host/mymember at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
64 host/mymember at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (arcfour-hmac)
64 host/mymember at MY.DOMAIN.TLD (arcfour-hmac)
64 MYMEMBER$@MY.DOMAIN.TLD (des-cbc-crc)
64 MYMEMBER$@MY.DOMAIN.TLD (des-cbc-md5)
64 MYMEMBER$@MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
64 MYMEMBER$@MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96)
64 MYMEMBER$@MY.DOMAIN.TLD (arcfour-hmac)
--
Garcia
Garcia JR
2020-Jul-14 17:25 UTC
[Samba] Error trying to access samba sharing using netbios name
I got it fixed now, then just for the records, case someone face the same issue. Leaving and rejoining the Domain,made kvno reset to 2 - (net ads leave/net ads join) Then I have rebooted windows workstation, since it still was making reference to old kvno 58. On some other workstations net use * /delete .y and remap did the trick. On Tue, Jul 14, 2020 at 1:24 PM Garcia JR <garciajr at gmail.com> wrote:> am getting this error in smbd.log when user try to open Share from > Windows box: > > gss_accept_sec_context failed with [ Miscellaneous failure (see text): > Failed to find cifs/mymember.my.domain.tld at MY.DOMAIN.TLD(kvno 58) in > keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] > SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > > I have made a research here in google and here in mail list before post > this message. I see some similar issues, where the solution seems adding > ?cifs/mymember.my.domain.tld at MY.DOMAIN.TLD? to keytab file. In my case, > it was already there, as you can see below. > > In error message I see it?s making reference to keno 58, in my keytab it?s > 64, not sure if it?s related or not. Is there a way to reset keyfrom > memory? I tried to restart smbd and winbindd, but no luck. > > The same shared can be acessed if use ip adress instead > > ########################################### > smb.conf > ########################################### > [global] > netbios name = mymember > server string = File Server in %L > workgroup = accent > security = ADS > realm = MY.DOMAIN.TLD > password server = mad > encrypt passwords = true > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 5000-9999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > max protocol = SMB2 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind cache time = 60 > > > ; misc options > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 > SO_RCVBUF=8192 > time server = yes > > ; do not show files starting with dots > hide dot files = yes > > ; do not allow guest access, use only local system accounts > guest ok = no > > ; log (tam max log em kB) > log level = 1 > #log level = 3 passdb:5 auth:10 winbind:10 > log file = /var/log/samba/log.%L > max log size = 10000 > debug timestamp = yes > #syslog = 1 > > remote announce = 192.168.0.0/24 172.16.170.0/24 192.168.150.0/24 > 172.17.0.0/24 > remote browse sync = 192.168.0.0/24 192.168.150.0/24 172.16.170.0/24 > 172.17.0.0/24 > > hosts allow = 127.0.0.1 192.168.0.0/24 192.168.150.0/24 172.16.170.0/24 > 172.17.0.0/24 > > obey pam restrictions = no > > ########################################### > ## KEY TAB FILE > > $ klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-crc) > 64 cifs/mymember at MY.DOMAIN.TLD (des-cbc-crc) > 64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-md5) > 64 cifs/mymember at MY.DOMAIN.TLD (des-cbc-md5) > 64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 64 cifs/mymember at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 64 cifs/mymember at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 64 cifs/mymember.my.domain.tld at MY.DOMAIN.TLD (arcfour-hmac) > 64 cifs/mymember at MY.DOMAIN.TLD (arcfour-hmac) > 64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-crc) > 64 host/mymember at MY.DOMAIN.TLD (des-cbc-crc) > 64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (des-cbc-md5) > 64 host/mymember at MY.DOMAIN.TLD (des-cbc-md5) > 64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 64 host/mymember at MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 64 host/mymember at MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 64 host/mymember.my.domain.tld at MY.DOMAIN.TLD (arcfour-hmac) > 64 host/mymember at MY.DOMAIN.TLD (arcfour-hmac) > 64 MYMEMBER$@MY.DOMAIN.TLD (des-cbc-crc) > 64 MYMEMBER$@MY.DOMAIN.TLD (des-cbc-md5) > 64 MYMEMBER$@MY.DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 64 MYMEMBER$@MY.DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 64 MYMEMBER$@MY.DOMAIN.TLD (arcfour-hmac) > > -- > Garcia >-- Garcia
Possibly Parallel Threads
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- winbind question. (challenge/response password authentication)
- Samba and kerberized NFSv4
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH