Web lists-archives.com

[Samba] smb_krb5_open_keytab failed (Key table name malformed)




Hi.

I joined a fileserver system with Samba version 4.5.12-Debian (fileserv) in
an Active Directory domain managed by a Samba 4.6.7-Ubuntu installed on
another system using "realm discover" and sssd.

The Samba fileserver is correctly joined into the domain and I can
correctly browse AD users:

root@fileserv:/# getent passwd my.user
my.user:*:1616401116:1616400513:Me:/home/domain.com/users/my.user:/bin/bash

The keytab file is correctly created:

root@fileserv:/# ls -l /etc/krb5.*
-rw-r--r-- 1 root root 2794 May 11 17:32 /etc/krb5.conf
-rw------- 1 root root 2208 May 11 16:18 /etc/krb5.keytab

The problem is that I cannot browse my Samba server from a Windows 10
client joined in the same Active Directory domain with a valid user.
When I try to access to \\fileserv from the Windows client I get these
errors on the Samba server:

========== 8< ==========
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.181182,  1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:30 fileserv smbd[3634]:
 ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.183815,  1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:30 fileserv smbd[3634]:
 ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.184747,  1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:30 fileserv smbd[3634]:   Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.189970,  1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:30 fileserv smbd[3634]:
 ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.190017,  1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:30 fileserv smbd[3634]:
 ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.190045,  1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:30 fileserv smbd[3634]:   Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193404,  1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:30 fileserv smbd[3634]:
 ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193442,  1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:30 fileserv smbd[3634]:
 ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193528,  1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:30 fileserv smbd[3634]:   Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196100,  1]
../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
May 11 17:10:30 fileserv smbd[3634]:   WARNING: The "syslog" option is
deprecated
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196142,  1]
../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
May 11 17:10:30 fileserv smbd[3634]:   WARNING: The "syslog only" option is
deprecated
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196463,  2]
../source3/param/loadparm.c:2685(lp_do_section)
May 11 17:10:30 fileserv smbd[3634]:   Processing section "[users]"
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196656,  2]
../source3/param/loadparm.c:2685(lp_do_section)
May 11 17:10:30 fileserv smbd[3634]:   Processing section "[homes]"
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.939713,  1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:30 fileserv smbd[3634]:   Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.941271,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:30 fileserv smbd[3634]:   connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.286683,  1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:31 fileserv smbd[3634]:   Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.288762,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:31 fileserv smbd[3634]:   connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.591901,  1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:31 fileserv smbd[3634]:   Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.593663,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:31 fileserv smbd[3634]:   connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595626,  0]
../source3/auth/auth_domain.c:184(domain_client_validate)
May 11 17:10:31 fileserv smbd[3634]:   domain_client_validate: Domain
password server not available.
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595666,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
May 11 17:10:31 fileserv smbd[3634]:   check_ntlm_password:  Authentication
for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595697,  2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
May 11 17:10:31 fileserv smbd[3634]:   SPNEGO login failed:
NT_STATUS_NO_LOGON_SERVERS
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.610553,  1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:31 fileserv smbd[3635]:
 ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.611895,  1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:31 fileserv smbd[3635]:
 ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.613109,  1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:31 fileserv smbd[3635]:   Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615785,  1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:31 fileserv smbd[3635]:
 ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615827,  1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:31 fileserv smbd[3635]:
 ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615855,  1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:31 fileserv smbd[3635]:   Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.619932,  1]
../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
May 11 17:10:31 fileserv smbd[3635]:   WARNING: The "syslog" option is
deprecated
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.619981,  1]
../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
May 11 17:10:31 fileserv smbd[3635]:   WARNING: The "syslog only" option is
deprecated
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.620318,  2]
../source3/param/loadparm.c:2685(lp_do_section)
May 11 17:10:31 fileserv smbd[3635]:   Processing section "[users]"
May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.620537,  2]
../source3/param/loadparm.c:2685(lp_do_section)
May 11 17:10:31 fileserv smbd[3635]:   Processing section "[homes]"
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.312237,  1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:32 fileserv smbd[3635]:   Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.313774,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:32 fileserv smbd[3635]:   connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.661837,  1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:32 fileserv smbd[3635]:   Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.663374,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:32 fileserv smbd[3635]:   connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.972733,  1]
../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
May 11 17:10:32 fileserv smbd[3635]:   Could not find machine account in
secrets database: Failed to fetch machine account password for DOMAIN from
both secrets.ldb (Could not find entry to match filter:
'(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: dsdb_search at
../source4/dsdb/common/util.c:4575) and from
/var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.974661,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
May 11 17:10:32 fileserv smbd[3635]:   connect_to_domain_password_server:
unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM.
Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.976779,  0]
../source3/auth/auth_domain.c:184(domain_client_validate)
May 11 17:10:32 fileserv smbd[3635]:   domain_client_validate: Domain
password server not available.
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.977536,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
May 11 17:10:32 fileserv smbd[3635]:   check_ntlm_password:  Authentication
for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.977575,  2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
May 11 17:10:32 fileserv smbd[3635]:   SPNEGO login failed:
NT_STATUS_NO_LOGON_SERVERS
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.028424,  2]
../source3/smbd/reply.c:705(reply_special)
May 11 17:10:34 fileserv smbd[3637]:   netbios connect: name1=FILESERV
 0x20 name2=WIN10-TEST     0x0
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.030869,  2]
../source3/smbd/reply.c:746(reply_special)
May 11 17:10:34 fileserv smbd[3637]:   netbios connect: local=fileserv
remote=win10-test, name type = 0
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.036486,  1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:34 fileserv smbd[3637]:
 ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.037810,  1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:34 fileserv smbd[3637]:
 ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.039122,  1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:34 fileserv smbd[3637]:   Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041181,  1]
../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab)
May 11 17:10:34 fileserv smbd[3637]:
 ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key
table name malformed)
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041236,  1]
../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab)
May 11 17:10:34 fileserv smbd[3637]:
 ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab -
-1765328205
May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041264,  1]
../auth/gensec/gensec_start.c:698(gensec_start_mech)
May 11 17:10:34 fileserv smbd[3637]:   Failed to start GENSEC server mech
gse_krb5: NT_STATUS_INTERNAL_ERROR
========== 8< ==========

This is my Samba server configuration:

========== 8< ==========
#======================= Global Settings =======================
[global]
workgroup = DOMAIN
server string = File Server
dns proxy = no
log level = 3
syslog = 3
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
local master = yes
time server = no
wins support = no
password server = server-z1.domain.com
realm = DOMAIN.COM
dedicated keytab file = FILE:/etc/krb5.keytab
kerberos method = dedicated keytab
security = ads
allow trusted domains = yes
template shell = /bin/bash
template homedir = /home/domain.com/users/%U
# Performance improvements
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
========== 8< ==========

Could you help me please?

Thank you very much!
Bye
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba