<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I'm not sure my problem is linked to this '<span class="gmail-im">dedicated keytab file' with FILE: before the path to keytab file.<br><br><span style="font-family:monospace,monospace"># smbclient -d3 -L \\10.0.21.200 -U smith<br>lp_load_ex: refreshing parameters<br>Initialising global parameters<br>rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)<br>Processing section "[global]"<br>lp_load_ex: changing to config backend registry<br>Initialising global parameters<br>rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)<br>lp_load_ex: refreshing parameters<br>Initialising global parameters<br>rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)<br>Processing section "[global]"<br>added interface eno1 ip=10.0.21.18 bcast=10.0.21.31 netmask=255.255.255.240<br>Client started (version 4.5.1).<br>Enter smith's password: <br>Connecting to 10.0.21.200 at port 445<br>Doing spnego session setup (blob length=74)<br>got OID=1.3.6.1.4.1.311.2.2.10<br>got principal=not_defined_in_RFC4178@please_ignore<br>GENSEC backend 'gssapi_spnego' registered<br>GENSEC backend 'gssapi_krb5' registered<br>GENSEC backend 'gssapi_krb5_sasl' registered<br>GENSEC backend 'spnego' registered<br>GENSEC backend 'schannel' registered<br>GENSEC backend 'naclrpc_as_system' registered<br>GENSEC backend 'sasl-EXTERNAL' registered<br>GENSEC backend 'ntlmssp' registered<br>GENSEC backend 'ntlmssp_resume_ccache' registered<br>GENSEC backend 'http_basic' registered<br>GENSEC backend 'http_ntlm' registered<br>Got challenge flags:<br>Got NTLMSSP neg_flags=0x628a8215<br>NTLMSSP: Set final flags:<br>Got NTLMSSP neg_flags=0x62088215<br>NTLMSSP Sign/Seal - Initialising with flags:<br>Got NTLMSSP neg_flags=0x62088215<br>SPNEGO login failed: Logon failure<br>session setup failed: NT_STATUS_LOGON_FAILURE</span><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 2, 2016 at 10:57 AM, Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On pe, 02 joulu 2016, Fujisan wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Alexander,<br>
<br>
I have now in my conf on server A and client B<br>
<br>
dedicated keytab file = /etc/samba/samba.keytab<br>
<br>
instead of<br>
<br>
dedicated keytab file = FILE:/etc/samba/samba.keytab<br>
<br>
<br>
But unfortunately, it did not solve the problem.<br>
</blockquote></span>
It did solve for me. The offending commit in Samba is c2f5c30b<br>
<br>
$ git tag --contains c2f5c30b|grep samba<br>
samba-4.5.0<br>
samba-4.5.0rc1<br>
samba-4.5.0rc2<br>
samba-4.5.0rc3<br>
samba-4.5.1<br>
<br>
It has following code:<br>
+krb5_error_code smb_krb5_open_keytab(krb5_cont<wbr>ext context,<br>
+ const char *keytab_name_req,<br>
+ bool write_access,<br>
+ krb5_keytab *keytab)<br>
+{<br>
+ if (keytab_name_req != NULL) {<br>
+ if (keytab_name_req[0] != '/') {<br>
+ return KRB5_KT_BADNAME;<br>
+ }<br>
+ }<br>
+<br>
+ return smb_krb5_open_keytab_relative(<wbr>context,<br>
+ keytab_name_req,<br>
+ write_access,<br>
+ keytab);<br>
+}<br>
<br>
It is the check for keytab_name_req[0] not starting from '/' what causes<br>
the break.<div class="HOEnZb"><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
<br>
On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>><br>
wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On to, 01 joulu 2016, Fujisan wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
I have upgraded a client and a freeipa server from Fedora 24 to 25<br>
recently.<br>
And I *cannot* access linux shares located on the F25 freeipa client from<br>
a<br>
windows desktop.<br>
But I can access linux shares located on the F25 freeipa server from that<br>
windows desktop.<br>
And I can access linux shares located on the F24 freeipa client from that<br>
windows desktop.<br>
<br>
To be clear, I have:<br>
A/ 1 F25 freeipa server<br>
B/ 1 F25 freeipa client<br>
C/ 1 F24 freeipa client<br>
D/ 1 windows desktop<br>
<br>
I can access linux shares of A from D.<br>
I can access linux shares of C from D.<br>
I *cannot* access linux shares of B from D.<br>
<br>
I get these messages on B in /var/log/samba/log.10.0.21.247 :<br>
<br>
[2016/12/01 11:42:19.218759, 1] ../source3/librpc/crypto/gse_<br>
krb5.c:534(fill_mem_keytab_fro<wbr>m_dedicated_keytab)<br>
../source3/librpc/crypto/gse_<wbr>krb5.c:534: smb_krb5_open_keytab failed<br>
(Key<br>
table name malformed)<br>
[2016/12/01 11:42:19.218800, 1] ../source3/librpc/crypto/gse_<br>
krb5.c:627(gse_krb5_get_server<wbr>_keytab)<br>
../source3/librpc/crypto/gse_<wbr>krb5.c:627: Error! Unable to set mem keytab<br>
- -1765328205<br>
[2016/12/01 11:42:19.218823, 1] ../auth/gensec/gensec_start.c:<br>
698(gensec_start_mech)<br>
Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR<br>
[2016/12/01 11:42:19.261611, 1] ../source3/librpc/crypto/gse_<br>
krb5.c:534(fill_mem_keytab_fro<wbr>m_dedicated_keytab)<br>
../source3/librpc/crypto/gse_<wbr>krb5.c:534: smb_krb5_open_keytab failed<br>
(Key<br>
table name malformed)<br>
[2016/12/01 11:42:19.261638, 1] ../source3/librpc/crypto/gse_<br>
krb5.c:627(gse_krb5_get_server<wbr>_keytab)<br>
../source3/librpc/crypto/gse_<wbr>krb5.c:627: Error! Unable to set mem keytab<br>
- -1765328205<br>
[2016/12/01 11:42:19.261653, 1] ../auth/gensec/gensec_start.c:<br>
698(gensec_start_mech)<br>
Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR<br>
[2016/12/01 11:42:19.263330, 2] ../source3/auth/auth.c:315(<br>
auth_check_ntlm_password)<br>
check_ntlm_password: Authentication for user [smith] -> [smith] FAILED<br>
with error NT_STATUS_NO_SUCH_USER<br>
[2016/12/01 11:42:19.263380, 2] ../auth/gensec/spnego.c:720(<br>
gensec_spnego_server_negTokenT<wbr>arg)<br>
SPNEGO login failed: NT_STATUS_NO_SUCH_USER<br>
[2016/12/01 11:42:19.270531, 1] ../source3/librpc/crypto/gse_<br>
krb5.c:534(fill_mem_keytab_fro<wbr>m_dedicated_keytab)<br>
../source3/librpc/crypto/gse_<wbr>krb5.c:534: smb_krb5_open_keytab failed<br>
(Key<br>
table name malformed)<br>
[2016/12/01 11:42:19.270562, 1] ../source3/librpc/crypto/gse_<br>
krb5.c:627(gse_krb5_get_server<wbr>_keytab)<br>
../source3/librpc/crypto/gse_<wbr>krb5.c:627: Error! Unable to set mem keytab<br>
- -1765328205<br>
[2016/12/01 11:42:19.270586, 1] ../auth/gensec/gensec_start.c:<br>
698(gensec_start_mech)<br>
Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR<br>
[2016/12/01 11:42:19.313479, 1] ../source3/librpc/crypto/gse_<br>
krb5.c:534(fill_mem_keytab_fro<wbr>m_dedicated_keytab)<br>
../source3/librpc/crypto/gse_<wbr>krb5.c:534: smb_krb5_open_keytab failed<br>
(Key<br>
table name malformed)<br>
[2016/12/01 11:42:19.313506, 1] ../source3/librpc/crypto/gse_<br>
krb5.c:627(gse_krb5_get_server<wbr>_keytab)<br>
../source3/librpc/crypto/gse_<wbr>krb5.c:627: Error! Unable to set mem keytab<br>
- -1765328205<br>
[2016/12/01 11:42:19.313523, 1] ../auth/gensec/gensec_start.c:<br>
698(gensec_start_mech)<br>
Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR<br>
[2016/12/01 11:42:19.315256, 2] ../source3/auth/auth.c:315(<br>
auth_check_ntlm_password)<br>
check_ntlm_password: Authentication for user [smith] -> [smith] FAILED<br>
with error NT_STATUS_NO_SUCH_USER<br>
[2016/12/01 11:42:19.315291, 2] ../auth/gensec/spnego.c:720(<br>
gensec_spnego_server_negTokenT<wbr>arg)<br>
SPNEGO login failed: NT_STATUS_NO_SUCH_USER<br>
<br>
Also from the F25 server, I have the following when I run smbclient<br>
<br>
f25server # smbclient -k -L f25desktop.mydomain<br>
lp_load_ex: changing to config backend registry<br>
session setup failed: NT_STATUS_LOGON_FAILURE<br>
<br>
But if i run it with a F24 desktop, it works:<br>
<br>
f25server # smbclient -k -L f24desktop.mydomain<br>
lp_load_ex: changing to config backend registry<br>
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.7]<br>
<br>
Sharename Type Comment<br>
--------- ---- -------<br>
IPC$ IPC IPC Service (Samba Server Version 4.4.7)<br>
data Disk /data on f24desktop<br>
data2 Disk /data2 on f24desktop<br>
data3 Disk /data3 on f24desktop<br>
backup Disk /backup on f24desktop<br>
[...]<br>
<br>
<br>
net conf list on the f25desktop gives:<br>
<br>
f25desktop # net conf list<br>
[global]<br>
workgroup = MYDOMAIN<br>
realm = MYDOMAIN<br>
netbios name = F25SERVER<br>
server string = Samba Server Version %v<br>
kerberos method = dedicated keytab<br>
dedicated keytab file = FILE:/etc/samba/samba.keytab<br>
<br>
</blockquote>
There seem to be a change in Samba 4.5.0 which uses 'dedicated keytab<br>
file' value as it is when constructing a memory keytab. As result,<br>
libkrb5 is confused and does not know which keytab processing routine to<br>
use (MEMORY:FILE:/etc/samba/samba.<wbr>keytab is invalid).<br>
<br>
You can replace the value by removing FILE: right now:<br>
<br>
net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab<br>
<br>
When no prefix is used, libkrb5 will default to FILE: itself.<br>
<br>
We are going to look at changing the Samba code to strip the prefix from<br>
the 'dedicated keytab file' when applying it to memory-based keytabs.<br>
<br>
--<br>
/ Alexander Bokovoy<br>
<br>
</blockquote></blockquote>
<br></div></div><span class="HOEnZb"><font color="#888888">
-- <br>
/ Alexander Bokovoy<br>
</font></span></blockquote></div><br></div>