search for: gse_krb5

Hello, I have upgraded a client and a freeipa server from Fedora 24 to 25 recently. And I cannot access linux shares located on the F25 client from a windows desktop. I get these messages: [2016/12/01 11:42:19.218759, 1] ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from_dedicated_keytab) ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed (Key table name malformed) [2016/12/01 11:42:19.218800, 1] ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab) ../source3/librpc/crypto/gse_krb5.c:627: Error! Unabl...

...raded a client and a freeipa server from Fedora 24 to 25 > > recently. And I cannot access linux shares located on the F25 client > > from a windows desktop. > > > > I get these messages: > > > > [2016/12/01 11:42:19.218759, 1] > > ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_ > from_dedicated_keytab) > > ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab > > failed (Key table name malformed) > > [2016/12/01 11:42:19.218800, 1] > > ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab) > >...

...> Hello, > > I have upgraded a client and a freeipa server from Fedora 24 to 25 > recently. And I cannot access linux shares located on the F25 client > from a windows desktop. > > I get these messages: > > [2016/12/01 11:42:19.218759, 1] > ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from_dedicated_keytab) > ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab > failed (Key table name malformed) > [2016/12/01 11:42:19.218800, 1] > ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab) > ../source3/librpc/crypto/gse...

...dows 10 client joined in the same Active Directory domain with a valid user. When I try to access to \\fileserv from the Windows client I get these errors on the Samba server: ========== 8< ========== May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.181182, 1] ../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab) May 11 17:10:30 fileserv smbd[3634]: ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key table name malformed) May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.183815, 1] ../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_g...

...server from Fedora 24 to 25 >> > recently. And I cannot access linux shares located on the F25 client >> > from a windows desktop. >> > >> > I get these messages: >> > >> > [2016/12/01 11:42:19.218759, 1] >> > ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from >> _dedicated_keytab) >> > ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab >> > failed (Key table name malformed) >> > [2016/12/01 11:42:19.218800, 1] >> > ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_serv...

...rs. Please keep in mind that the wbinfo -u is working and returns correct results. It is just outrageously slow. Thank you again, Chris === A. log entries tha preceeded long waits === Opening connection to LDAP server '192.168.1.4:389', timeout 15 seconds Starting GENSEC submechanism gse_krb5 list_users MYDOMAIN wbint_QueryUserList: struct wbint_QueryUserList in: struct wbint_QueryUserList Opening connection to LDAP server '192.168.1.4:389', timeout 15 seconds Starting GENSEC submechanism gse_krb5 Opening connection to LDAP server '192.168.1.4:389', time...

On Wed, 1 Feb 2017 07:30:19 -0800 Chris Stankevitz <chrisstankevitz at gmail.com> wrote: > On Wed, Feb 1, 2017 at 1:12 AM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > He is also unlikely to be running avahi, he is using Freebsd 10.3 > > truss (like strace) showed that wbinfo, net, and sshd were all hanging > after system calls to getuid() and

...\<IP adress>, I can/must authenticate with administrator, normal domain users do not work anymore. When I hit \\<Servername>, nothing is working. There is only a message, I am not authorized to use the resource. Here your are a log of smbd: grep LOGON /var/log/samba/log.smbd SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE SPNEGO login failed: NT_STATUS_LOGON_FAILURE smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:131 smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] body[8] dyn[yes:1] at...

...s are Server 2012r2. Every 3-4 days, I see log messages from winbind saying "winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED". Sometimes this corresponds to a trust password change, but not always. Today, new connections to Samba were failing with the error "SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR" for an hour. I restored service by re-running "net rpc join" and restarting winbindd. I search bugzilla for any issues like this, and I looked at the release notes for versions newer than v4.4.4. I don't see anythin...

...t work anymore. When I hit \\<Servername>, nothing is >>> working. There is only a message, I am not authorized to use >>> the resource. >>> >>> >>> Here your are a log of smbd: >>> grep LOGON /var/log/samba/log.smbd >>> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE >>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE >>> smbd_smb2_request_error_ex: idx[1] >>> status[NT_STATUS_LOGON_FAILURE] || at >>> ../source3/smbd/smb2_sesssetup.c:131 >>> smbd_smb2_request_done...

On Sat, 12 Aug 2017 05:56:36 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote: > On Fri, 2017-08-11 at 08:02 -0400, Ing. Luis Felipe Domínguez Vega via > samba wrote: > > gss_init_sec_context failed with [ The context has expired: Success] > > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: > > NT_STATUS_INTERNAL_ERROR > > Can you please show me your smb.conf? > > I gse_krb5 shouldn't run on an AD DC, so I think the smb.conf is > somehow set up as a file server. > > Andrew Bartlett > Hi Andrew, He has already pos...

...enticate with administrator, normal domain users >do not work anymore. When I hit \\<Servername>, nothing is >working. There is only a message, I am not authorized to use >the resource. > > >Here your are a log of smbd: >grep LOGON /var/log/samba/log.smbd > SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > SPNEGO login failed: NT_STATUS_LOGON_FAILURE > smbd_smb2_request_error_ex: idx[1] >status[NT_STATUS_LOGON_FAILURE] || at >../source3/smbd/smb2_sesssetup.c:131 > smbd_smb2_request_done_ex: idx[1] >status[NT_STATUS_LOGON_FAI...

...\\centos0000\homes?, Windows presents the error messages (after prompting for credentials): System error 86 has occurred. // The specified network password is not correct. Within /var/log/samba/10.0.0.1.log, the following items seem notable: [2019/06/1015:05:10.230921,? 2] ../source3/librpc/crypto/gse_krb5.c:196(fill_mem_keytab_from_secrets) ? ../source3/librpc/crypto/gse_krb5.c:196: failed to fetch machine password [2019/06/1015:05:10.230941,? 1] ../source3/librpc/crypto/gse_krb5.c:594(gse_krb5_get_server_keytab) ? ../source3/librpc/crypto/gse_krb5.c:594: Error! Unable to set mem keytab - -176532825...

...<Servername>, nothing is >>>> working. There is only a message, I am not authorized to use >>>> the resource. >>>> >>>> >>>> Here your are a log of smbd: >>>> grep LOGON /var/log/samba/log.smbd >>>> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE >>>> SPNEGO login failed: NT_STATUS_LOGON_FAILURE >>>> smbd_smb2_request_error_ex: idx[1] >>>> status[NT_STATUS_LOGON_FAILURE] || at >>>> ../source3/smbd/smb2_sesssetup.c:131 >>>>...

..._token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/fs1.domain.local at DOMAIN.LOCAL(kvno 2) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2016/10/02 06:10:34.884404, 1] ../auth/gensec/spnego.c:541(ge nsec_spnego_parse_negTokenInit) SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2016/10/02 06:10:34.884433, 2] ../auth/gensec/spnego.c:716(ge nsec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOGON_FAILURE [2016/10/02 06:13:07.177316, 2] ../source3/smbd/server.c:467(r emove_child_pid) Could not find child 240...

I have a server that runs stand-alone with an LDAP directory and a KDC . The linux machines have sssd to allow unified users etc. The clients are mostly MacOS and Windows machines that aren't part of an AD. This config has worked for 15 years, but after upgrading Debian and bringing in Samba Version 4.17.7-Debian it seems to be broken. I believe this is related to:

...ode was NT_STATUS_CONNECTION_DISCONNECTED (0xc000020c) error message was: The transport connection is now disconnected. Could not authenticate user [john] with Kerberos (ccache: FILE) The error in /usr/local/samba-4-4/var/log.wb-DOMAIN is: [2016/04/20 23:00:04.704273, 1] ../source3/librpc/crypto/gse_krb5.c:416(fill_mem_keytab_from_system_keytab) ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory) [2016/04/20 23:00:04.704321, 0] ../lib/util/fault.c:78(fault_report) =============================================================== [2016/04/20 23:00:04....

..._token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/fs1.domain.local at DOMAIN.LOCAL(kvno 2) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] [2016/10/02 06:10:34.884404, 1] ../auth/gensec/spnego.c:541( gensec_spnego_parse_negTokenInit) SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2016/10/02 06:10:34.884433, 2] ../auth/gensec/spnego.c:716( gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOGON_FAILURE [2016/10/02 06:13:07.177316, 2] ../source3/smbd/server.c:467( remove_child_pid) Could not find child 240...

Hi, I've changed /etc/resolv.conf, rebooted, here is the output: cat /etc/resolv.conf domain rona.loc search rona.loc nameserver 192.168.19.2 ------ smbclient -L $(hostname -f) -UAdministrator%<password> -d5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5

...failed: NT_STATUS_LOGON_FAILURE ubuntu at kvm7246-vm022:~/samba$ (Logs from each smbclient attempt are at https://drive.google.com/open?id=1_355NuN1L9BW5JvtP9WG-dEGkaQqNT3Y) The logs seem to show that in the "localhost" cases, the final authentication step uses "GENSEC submechanism gse_krb5", while in the cases where the actual hostname is specified, the final authentication step uses "GENSEC submechanism ntlmssp". The Kerberos auth seems only to work if the authenticating user is in the local domain; if the user is in the other domain, it fails looking for a keytab ent...