Re: [Samba] Samba 4.6.2 member server errors
- Date: Thu, 26 Oct 2017 10:11:30 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba 4.6.2 member server errors
On Thu, 26 Oct 2017 01:09:00 -0400 (EDT)
> On Mon, 23 Oct 2017, Rowland Penny via samba wrote:
> > Unless I missed it, you have never said what OS this is.
> Centos 7.4
> > You said this is the only Unix domain member exhibiting this
> > problem, so you could try the windows fix, wipe the OS and start
> > again ;-)
> > Provided you use the same smb.conf as on the other Unix domain
> > members, you should have no problems.
> > Just back everything up and leave the domain:
> > net ads leave -U Administrator
> OK, so I removed the machine from the domain, uninstalled all of the
> samba packages, cleaned up all of the tdb and ldb, etc. re-installed
> the samba packages and joined the domain.
> I am using the smb.conf I posted previously in this thread.
> That seems to have gotten rid of the original error and winbind now
> goes to sleep. However I now have a new error:
> ==> samba/172.30.0.114.log <==
> [2017/10/26 00:24:12.116588,
> 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
> gss_accept_sec_context failed with [Unspecified GSS failure. Minor
> code may provide more information: Request ticket server
> cifs/vfs1.kmg.mydomain.com@xxxxxxxxxxxxxxxx not found in keytab
> (ticket kvno 2)]
> The above is showing up in the various samba logs for the machines
> that connect to the server.
> Given that there is no keytab on the machine, this error does not
> make any sense to me. Is there supposed to be a keytab? I do not see
> anything about a keytab in
> that talks about a keytab.
> Does anyone know how to fix this? I am still looking but so far
> Google has not been helpful.
You do have a keytab, but it is in memory, which explains why you
cannot find it ;-)
However, you wouldn't normally have the cifs SPN in it, so you need to
create a keytab stored on the Unix domain member.
Add these lines to the smb.conf (if they aren't already there):
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
restart Samba, then run this command:
net ads keytab create -U Administrator
You can check what is the keytab with:
ktutil: rkt /etc/krb5.keytab
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 27 host/devstation.samdom.example.com@xxxxxxxxxxxxxxxxxx
2 27 host/DEVSTATION@xxxxxxxxxxxxxxxxxx
Press 'q' to exit.
To unsubscribe from this list go to the following URL and read the