similar to: Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab

Hai, I've re-read you thread, and there are a few things going-on.. I suggest you do the following.. Change these. /etc/krb5.conf [libdefaults] default_realm = DOM.CORP dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true kdc_timesync = 1 debug = false /etc/samba/smb.conf [Global] workgroup = WG1 realm = DOM.CORP # Netbios names in

samba-tool computer remove oldsamba Il giorno mar 5 nov 2019 alle ore 17:04 L.P.H. van Belle <belle at bazuin.nl> ha scritto: > Hai, > > Well that great you found it. > > Ah.. so you removed the entry from the DNS or ADDB? > Can you tell what you exactly did, that might help the next person with a > problem like this. > > And not many list messages today.. ;-)

Hai, Nope.. To much again ;-) This is one step to much: step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP And why are you adding @REALM .. Do it exactly as shown below. Because

Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7

Luis, my typos, I'v to mask the output sorry (compliance) # su - testuser $ smbclient --option='client min protocol=NT1' -U testuser //oldsamba/testuser -c 'ls' Unable to initialize messaging context Enter DOM\testuser's password: session setup failed: NT_STATUS_LOGON_FAILURE [2019/11/05 15:50:50.009481, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)

On 05/11/2019 12:17, banda bassotti via samba wrote: > Luis, ok I'v removed everything, step 1: > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P I have said this once already, but, I will try again ;-) You are creating a keytab, which may or may not be called /etc/krb5.keytab2 > step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD >

Hi Rowland, I refer again after a week, perhaps missing an important piece to the big picture: the error message appears ONLY when you access the share using the netbios alias: [Global] workgroup = WG1 realm = DOM.CORP netbios name = fs-a netbios aliases = oldsamba security = ADS if you access the \\fs-a\sharename is ok if you access \\oldsamba\sharename the logs report the

Rowland, it is not a problem of mount but of kerberso ticket: [2019/10/08 10:58:09.626059, 1] ../../auth/gensec/spnego.c:1218(gensec_spnego_server_negTokenInit_step) gensec_spnego_server_negTokenInit_step: gse_krb5: parsing NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE [2019/10/08 10:58:09.634532, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)

Hi, the problem seems to be related to this bug: https://bugzilla.samba.org/show_bug.cgi?id=6750 I try therefore to set machine password timeout = 0 Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < samba at lists.samba.org> ha scritto: > On 29/10/2019 10:04, banda bassotti wrote: > > I had already done it: > > > > # samba-tool spn list

Hai, > > Change this one. > > /etc/hosts > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # > new/correct > > Or > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct > No, none of them are correct No, Rowland, your really wrong here. ( i dont say that often.. ) :-p But i give

Ok, Your keytab looks ok now. oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp. fs-a.dom.corp has address 10.0.0.2 i would have expected here. oldsamba.dom.corp is an alias for fs-a.dom.corp. fs-a.dom.corp has address 10.0.0.2 Or was that a typo? I assuming a typo.. About your setup from the script outpout. Change this one. /etc/hosts 10.0.0.2 fs-a.dom.corp fs-a oldsamba #

Ok, you did to much as far i can tell. You want to see this: i'll show my output, then i is better to see what i mean. this is where you start with. klist -ke |sort ( default member ) ---- -------------------------------------------------------------------------- 3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96) 3 host/HOSTNAME1 at REALM.DOMAIN.TLD

hello, today the following problem occurred: [2019/10/08 09: 57: 23.568282, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token) gss_accept_sec_context failed with [Miscellaneous failure (see text): Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab MEMORY: cifs_srv_keytab (arcfour-hmac-md5)] in my smb.conf I have the lines: kerberos method = dedicated keytab

In case you missed the link in the original email, here's the smb.conf: [global] kerberos method = secrets and keytab logging = systemd realm = TC83.LOCAL security = ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = TC83 idmap config * : range = 1000000-19999999 idmap config * : backend = autorid

For this to work Below shows a A on the old hostname, correct ? With the "netbios alias" used in samba. Setup like this : The new server.. hostname => DNS A IP => DNS PTR Netbios Alias => CNAME OLDSERVERNAME And try again. Remove the A/PTR of the old hostname also. Only a CNAME is sufficient.. Note, the new server MUST have A and PTR setup. optional, set dns

Here's the keytab info: ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) 12

Your config looks ok, as far i can tell. This : "cifs/kvm7246-vm022.maas.local at TC84.LOCAL" As it should spn/hostname.fqdn at REALM nothing wrong with that. But if i understand it right. Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL ( NTDOM:TC83 ) But you get TC84 back?. On the problem server run the following: dig a kvm7246-vm022.maas.local @IP_of_AD-DC

Hi, below the required files: smb.conf of ucs master: [global] logging = file max log size = 0 netbios name = ucs server role = active directory domain controller name resolve order = wins host bcast server string = Univention Corporate Server server services = -dns -smb +s3fs -nbt server role check:inhibit

The production will be updated as soon as possible, back to the kinit it seems to me that we are going around the problem :) I will do tests, in the next few days I will make up for it unless there are some hints. thanks. Il giorno mer 10 giu 2020 alle ore 20:46 Rowland penny via samba < samba at lists.samba.org> ha scritto: > On 10/06/2020 19:25, banda bassotti via samba wrote: >

Hello, I'v to migrate one file server (old samba 3) to a new file samba 4, I thought I could use the parameters netbios aliases = oldsamba but it doesn't work, trying to access the share, with the old names, the credentials popup appears and the log show: gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/oldsamba3 at lan.corp(kvno 107) in keytab