Web lists-archives.com

[Samba] samba4 ticket server cifs/ not found in keytab




example is sanitized as required

the samba host is a member of AD.INTERNALTWO.COM

when accessing from a client member of AD.INTERNALONE it is appending @AD.INTERNALONE to the SPN request(??) and I get the error in smbd.<client ip> 2018/04/25 17:11:58.506095, 1] ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token) gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/nas1dev.external.com@AD.INTERNALONE not found in keytab (ticket kvno 3)]


i tried "ignore_acceptor_hostname = true" in krb5.conf, but it has no effect


workarounds:
if i access the samba host by IP address or nas1dev.AD.INTERNALTWO.COM it works
access from a linux host using the nas1dev.external.com name works



any suggestions?




smb.conf excerpt:
[global]
        workgroup = INTERNALTWO
        realm = AD.INTERNALTWO.COM
        netbios name = nas1dev-rhel7
        server string = nas1dev-rhel7
        security = ADS
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        winbind refresh tickets = yes
        log file = /var/log/samba/smbd.%m
        max log size = 500
        min protocol = SMB2
        min protocol = NT1
        lanman auth = No
        load printers = No
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        domain master = No
        winbind enum users = Yes
        #winbind use default domain = Yes
        winbind expand groups = 5
        #winbind normalize names = no
        idmap config * : range = 1000000-1999999
        idmap config * : backend = tdb
        idmap config INTERNALTWO range = 1000000-1999999
        idmap config INTERNALTWO : backend = ads
        idmap config NAS1DEV-RHEL7 : range = 1000000-1999999
        idmap config NAS1DEV-RHEL7 : backend = tdb
        log level = 1 auth:3 smb:3 winbind:5
        ldapsam:trusted = yes
        restrict anonymous = 2
        create mask = 0770
        force create mode = 0770
        #obs #security mask = 0000
        #obs #force security mode = 0770
        directory mask = 2770
        force directory mode = 2770
        #obs #directory security mask = 0000
        #obs #force directory security mode = 2770
        hide special files = Yes
        hide unreadable = Yes
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/
        writeable = yes
        #ldap ssl = start tls
        #ldap ssl ads = yes
        wins server = 192.192.192.99


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba