Stefan G. Weichinger
2021-Dec-29 12:03 UTC
[Samba] Domain admin can't access share on samba dm-server
windows2019 server, logged in as domain admin accessing \\pre01svdeb01 fails, I see this in the samba logs: [2021/12/29 12:57:54.754005, 1] ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE [2021/12/29 12:57:54.769715, 1] ../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] [2021/12/29 12:57:54.769829, 1] ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step) googled, tried: # net ads keytab add_update_ads cifs/pre01svdeb01 at mydom.AT -U Administrator Doesn't help net ads keytab list shows multiple lines containing "cifs/pre01svdeb01 at mydom.AT" also with "aes256-cts-hmac-sha1-96" when I look closer there are 2 sets of lines, three in uppercase like: 2 aes256-cts-hmac-sha1-96 cifs/PRE01SVdeb01 at MYDOM.AT three in lower case: 2 aes256-cts-hmac-sha1-96 cifs/pre01svdeb01 at MYDOM.AT - what should I do? This is samba Version 4.14.11-Debian. # Global parameters [global] dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab load printers = No log file = /var/log/samba/%m.log logon home = "" logon path = "" map to guest = Bad User max log size = 150000 netbios name = SERVER printcap name = /dev/null realm = MYDOM.AT security = ADS template homedir = /mnt/samba/Daten/%U template shell = /bin/bash username map = /etc/samba/smbusers winbind offline logon = Yes winbind refresh tickets = Yes winbind use default domain = Yes workgroup = BUERO full_audit:priority = notice full_audit:facility = local5 full_audit:success = mkdir rmdir read pread write pwrite rename unlink full_audit:failure = connect full_audit:prefix = %u|%I|%m|%S idmap config buero:range = 10000-99999 idmap config buero:backend = rid idmap config *:range = 2000-9999 idmap config * : backend = tdb hosts allow = localhost 192.168.16. 172.32.99. map acl inherit = Yes printing = bsd vfs objects = acl_xattr
L.P.H. van Belle
2021-Dec-29 14:07 UTC
[Samba] Domain admin can't access share on samba dm-server
First..
Use FQDN's in you shares.
Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows)
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
klist -ke shows? Can you show the full output.
For cifs (and nfs) you need the spn format like this.
cifs/hostname.internal.domain.tld at REALM.TLD
(net ads adds the REALM part automaticly)
If your host is using an CNAME for cifs then you need to add,
cifs/cname.internal.domain.tld at REALM.TLD also
And its really adviced to give these server a PTR record.
How i do it.
And ALWAYS backup you krb5.keytab file first.
Dont know why sometimes ( in my case ) the KNVO is off
When that happens i restore the original keytab file.
cp /etc/krb5.keytab{,.backup}
kinit Administrator
net ads keytab add_update_ads cifs/$(hostname -f)
Removing wrong entries i do like this, and maybe
someone has beter ideas on this, please add it..
!! MAKE THAT BACKUP FIRST !!
ktutil
rkt /etc/krb5.keytab
? For help.
wkt /etc/krb5.keytab.new
cp /etc/krb5.keytab.new /etc/krb5.keytab
!! If you write the keytab as show above directly into /etc/krb5.keytab
You get everything double.
When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are
wrong.
delent 21 << only one you need.. Just repeat it untill its all gone.
Hope this helped a bit.
Ps. Im picky but..> idmap config buero:range = 10000-99999
> idmap config buero:backend = rid
bero should be BUERO
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou
Points to
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nbte/6f06fa0e-1dc4-4c41-accb-355aaf20546d
Quote from that last page : NetBIOS names are inherently case-sensitive.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stefan G. Weichinger via samba
> Verzonden: woensdag 29 december 2021 13:03
> Aan: samba
> Onderwerp: [Samba] Domain admin can't access share on samba dm-server
>
>
> windows2019 server, logged in as domain admin
>
> accessing \\pre01svdeb01 fails, I see this in the samba logs:
>
> [2021/12/29 12:57:54.754005, 1]
> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenI
> nit_step)
> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing
> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
> [2021/12/29 12:57:54.769715, 1]
> ../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token)
> gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab
> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> [2021/12/29 12:57:54.769829, 1]
> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenI
> nit_step)
>
> googled, tried:
>
> # net ads keytab add_update_ads cifs/pre01svdeb01 at mydom.AT -U
> Administrator
>
> Doesn't help
>
> net ads keytab list
>
> shows multiple lines containing "cifs/pre01svdeb01 at mydom.AT"
>
> also with "aes256-cts-hmac-sha1-96"
>
> when I look closer there are 2 sets of lines, three in uppercase like:
>
> 2 aes256-cts-hmac-sha1-96
> cifs/PRE01SVdeb01 at MYDOM.AT
>
> three in lower case:
>
> 2 aes256-cts-hmac-sha1-96
> cifs/pre01svdeb01 at MYDOM.AT
>
> - what should I do?
>
> This is samba Version 4.14.11-Debian.
>
> # Global parameters
> [global]
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> load printers = No
> log file = /var/log/samba/%m.log
> logon home = ""
> logon path = ""
> map to guest = Bad User
> max log size = 150000
> netbios name = SERVER
> printcap name = /dev/null
> realm = MYDOM.AT
> security = ADS
> template homedir = /mnt/samba/Daten/%U
> template shell = /bin/bash
> username map = /etc/samba/smbusers
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = BUERO
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:success = mkdir rmdir read pread write
> pwrite rename unlink
> full_audit:failure = connect
> full_audit:prefix = %u|%I|%m|%S
> idmap config buero:range = 10000-99999
> idmap config buero:backend = rid
> idmap config *:range = 2000-9999
> idmap config * : backend = tdb
> hosts allow = localhost 192.168.16. 172.32.99.
> map acl inherit = Yes
> printing = bsd
> vfs objects = acl_xattr
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Rowland Penny
2021-Dec-30 18:34 UTC
[Samba] Domain admin can't access share on samba dm-server
On Wed, 2021-12-29 at 13:03 +0100, Stefan G. Weichinger via samba wrote:> windows2019 server, logged in as domain admin > > accessing \\pre01svdeb01 fails, I see this in the samba logs: > > [2021/12/29 12:57:54.754005, 1] > ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_ste > p) > gensec_spnego_server_negTokenInit_step: gse_krb5: parsing > NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE > [2021/12/29 12:57:54.769715, 1] > ../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token) > gss_accept_sec_context failed with [ Miscellaneous failure (see > text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab > MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]OK, I went back to the start of this thread and reread it and we all missed it, everyone has been looking at the wrong keytab. The correct keytab is in MEMORY and I do not know of any way of reading that one. I would restart the computer and see if this fixes the problem. If you have already tried this, leave the domain and then join it again, hopefully this should create a new keytab in memory. Rowland
Stefan G. Weichinger
2022-Jan-11 07:24 UTC
[Samba] Domain admin can't access share on samba dm-server
Am 30.12.21 um 19:34 schrieb Rowland Penny via samba:> On Wed, 2021-12-29 at 13:03 +0100, Stefan G. Weichinger via samba > wrote: >> windows2019 server, logged in as domain admin >> >> accessing \\pre01svdeb01 fails, I see this in the samba logs: >> >> [2021/12/29 12:57:54.754005, 1] >> ../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_ste >> p) >> gensec_spnego_server_negTokenInit_step: gse_krb5: parsing >> NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE >> [2021/12/29 12:57:54.769715, 1] >> ../../source3/librpc/crypto/gse.c:665(gse_get_server_auth_token) >> gss_accept_sec_context failed with [ Miscellaneous failure (see >> text): Failed to find cifs/pre01svdeb01 at mydom.AT(kvno 5) in keytab >> MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] > > OK, I went back to the start of this thread and reread it and we all > missed it, everyone has been looking at the wrong keytab. The correct > keytab is in MEMORY and I do not know of any way of reading that one. > > I would restart the computer and see if this fixes the problem. If you > have already tried this, leave the domain and then join it again, > hopefully this should create a new keytab in memory.Only found your reply now (late), sorry. Rebooting the windows server is possible in the evening, rebooting the file server has to wait until I am on site later this week. You want me to (maybe) un/re-join the samba DM server, not the Windows server, right?