Alexander, I have now in my conf on server A and client B
dedicated keytab file = /etc/samba/samba.keytab instead of dedicated keytab file = FILE:/etc/samba/samba.keytab But unfortunately, it did not solve the problem. On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On to, 01 joulu 2016, Fujisan wrote: > >> Hello, >> >> I have upgraded a client and a freeipa server from Fedora 24 to 25 >> recently. >> And I *cannot* access linux shares located on the F25 freeipa client from >> a >> windows desktop. >> But I can access linux shares located on the F25 freeipa server from that >> windows desktop. >> And I can access linux shares located on the F24 freeipa client from that >> windows desktop. >> >> To be clear, I have: >> A/ 1 F25 freeipa server >> B/ 1 F25 freeipa client >> C/ 1 F24 freeipa client >> D/ 1 windows desktop >> >> I can access linux shares of A from D. >> I can access linux shares of C from D. >> I *cannot* access linux shares of B from D. >> >> I get these messages on B in /var/log/samba/log.10.0.21.247 : >> >> [2016/12/01 11:42:19.218759, 1] ../source3/librpc/crypto/gse_ >> krb5.c:534(fill_mem_keytab_from_dedicated_keytab) >> ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed >> (Key >> table name malformed) >> [2016/12/01 11:42:19.218800, 1] ../source3/librpc/crypto/gse_ >> krb5.c:627(gse_krb5_get_server_keytab) >> ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab >> - -1765328205 >> [2016/12/01 11:42:19.218823, 1] ../auth/gensec/gensec_start.c: >> 698(gensec_start_mech) >> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR >> [2016/12/01 11:42:19.261611, 1] ../source3/librpc/crypto/gse_ >> krb5.c:534(fill_mem_keytab_from_dedicated_keytab) >> ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed >> (Key >> table name malformed) >> [2016/12/01 11:42:19.261638, 1] ../source3/librpc/crypto/gse_ >> krb5.c:627(gse_krb5_get_server_keytab) >> ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab >> - -1765328205 >> [2016/12/01 11:42:19.261653, 1] ../auth/gensec/gensec_start.c: >> 698(gensec_start_mech) >> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR >> [2016/12/01 11:42:19.263330, 2] ../source3/auth/auth.c:315( >> auth_check_ntlm_password) >> check_ntlm_password: Authentication for user [smith] -> [smith] FAILED >> with error NT_STATUS_NO_SUCH_USER >> [2016/12/01 11:42:19.263380, 2] ../auth/gensec/spnego.c:720( >> gensec_spnego_server_negTokenTarg) >> SPNEGO login failed: NT_STATUS_NO_SUCH_USER >> [2016/12/01 11:42:19.270531, 1] ../source3/librpc/crypto/gse_ >> krb5.c:534(fill_mem_keytab_from_dedicated_keytab) >> ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed >> (Key >> table name malformed) >> [2016/12/01 11:42:19.270562, 1] ../source3/librpc/crypto/gse_ >> krb5.c:627(gse_krb5_get_server_keytab) >> ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab >> - -1765328205 >> [2016/12/01 11:42:19.270586, 1] ../auth/gensec/gensec_start.c: >> 698(gensec_start_mech) >> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR >> [2016/12/01 11:42:19.313479, 1] ../source3/librpc/crypto/gse_ >> krb5.c:534(fill_mem_keytab_from_dedicated_keytab) >> ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed >> (Key >> table name malformed) >> [2016/12/01 11:42:19.313506, 1] ../source3/librpc/crypto/gse_ >> krb5.c:627(gse_krb5_get_server_keytab) >> ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab >> - -1765328205 >> [2016/12/01 11:42:19.313523, 1] ../auth/gensec/gensec_start.c: >> 698(gensec_start_mech) >> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR >> [2016/12/01 11:42:19.315256, 2] ../source3/auth/auth.c:315( >> auth_check_ntlm_password) >> check_ntlm_password: Authentication for user [smith] -> [smith] FAILED >> with error NT_STATUS_NO_SUCH_USER >> [2016/12/01 11:42:19.315291, 2] ../auth/gensec/spnego.c:720( >> gensec_spnego_server_negTokenTarg) >> SPNEGO login failed: NT_STATUS_NO_SUCH_USER >> >> Also from the F25 server, I have the following when I run smbclient >> >> f25server # smbclient -k -L f25desktop.mydomain >> lp_load_ex: changing to config backend registry >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> But if i run it with a F24 desktop, it works: >> >> f25server # smbclient -k -L f24desktop.mydomain >> lp_load_ex: changing to config backend registry >> Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.7] >> >> Sharename Type Comment >> --------- ---- ------- >> IPC$ IPC IPC Service (Samba Server Version 4.4.7) >> data Disk /data on f24desktop >> data2 Disk /data2 on f24desktop >> data3 Disk /data3 on f24desktop >> backup Disk /backup on f24desktop >> [...] >> >> >> net conf list on the f25desktop gives: >> >> f25desktop # net conf list >> [global] >> workgroup = MYDOMAIN >> realm = MYDOMAIN >> netbios name = F25SERVER >> server string = Samba Server Version %v >> kerberos method = dedicated keytab >> dedicated keytab file = FILE:/etc/samba/samba.keytab >> > There seem to be a change in Samba 4.5.0 which uses 'dedicated keytab > file' value as it is when constructing a memory keytab. As result, > libkrb5 is confused and does not know which keytab processing routine to > use (MEMORY:FILE:/etc/samba/samba.keytab is invalid). > > You can replace the value by removing FILE: right now: > > net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab > > When no prefix is used, libkrb5 will default to FILE: itself. > > We are going to look at changing the Samba code to strip the prefix from > the 'dedicated keytab file' when applying it to memory-based keytabs. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project