1

I have laptop joined to domain AAA. Have two DFS namespace servers which are also AD DC with Win Server 2012 R2. NAS is Synology server with CIFS enabled/domain joined.

Servers:

  • dc1.domain1.local - ip 10.8.0.3
  • dc2.domain1.local - ip 10.8.0.27
  • nas1.domain1.local - ip 10.8.0.7
  • laptop.domain1.local - 10.91.0.2

All setup was working until recently. (don't know what happened, kernel upgrade? or Windows Update).

[sssd]
domains = domain1.local
config_file_version = 2
services = nss, pam

[domain/domain1.local]
ad_domain = domain1.local
krb5_realm = DOMAIN1.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
enumerate = True
id_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
krb5_lifetime = 1h
krb5_renewable_lifetime = 1d
krb5_renew_interval = 60s
ldap_id_mapping = True
krb5_store_password_if_offline = True

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 clockskew = 300
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

/etc/request-key.d/cifs.spnego.conf

create  cifs.spnego    * * /usr/bin/cifs.upcall -t %k

I'm trying to mount share using

mount -t cifs -o sec=krb5,user=$USER,cruid=$USER,uid=$USER //dc1.domain1.local/namespace1 /mnt/mp1

I can go to /mnt/mp1. But I can't access anything behind like //dc1.domain1.local/namespace1/share1 which is on Synology server (/mnt/mp1/share1).

Logs on laptop during mounting:

[   54.894236] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.          
[   55.036042] CIFS VFS: Autodisabling the use of server inode numbers on new server.
[   55.036046] CIFS VFS: The server doesn't seem to support them properly or the files might be on different servers (DFS).
[   55.036049] CIFS VFS: Hardlinks will not be recognized on this mount. Consider mounting with the "noserverino" option to silence this message.

When entering /mnt/mp1/share1 I got:

mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=DC1.domain.local;ip4=10.8.0.7;sec=krb5;uid=0x460c22f4;creduid=0x460c22f4;user=admin;pid=0x923                                                    
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: ver=2
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: host=DC1.domain1.local
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: ip=10.8.0.7
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: sec=1
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: uid=1175200500
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: creduid=1175200500
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: user=admin
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: pid=2339
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_cachename_from_process_env: pathname=/proc/2339/environ
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_cachename_from_process_env: cachename = KEYRING:persistent:1175200500
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_existing_cc: default ccache is KEYRING:persistent:1175200500:krb_ccache_s3dU4cx                                                                                                                              
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: handle_krb5_mech: getting service ticket for server.poznan.tbhydro.net
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: handle_krb5_mech: obtained service ticket
mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: Exit status 0

Notice that it is asking for ticket for different host that it is resolved for IP address. (10.8.0.7 is host nas1.domain1.local).

And on nas1.domain1.local samba logs:

../source3/lib/access.c:338: [2019/03/20 08:08:50.530826, all 3, pid=26839] allow_access
  Allowed connection from 10.91.0.2 (10.91.0.2)
../source3/smbd/oplock.c:1323: [2019/03/20 08:08:50.530929, locking 3, pid=26839] init_oplocks
  init_oplocks: initializing messages.
../source3/smbd/process.c:1975: [2019/03/20 08:08:50.530968, all 3, pid=26839] process_smb
  Transaction 0 of length 196 (0 toread)
../source3/smbd/smb2_negprot.c:281: [2019/03/20 08:08:50.531044, all 3, pid=26839] smbd_smb2_request_process_negprot
  Selected protocol SMB3_11
../source3/auth/auth_generic.c:246: [2019/03/20 08:08:50.531084, all 3, pid=26839] auth_generic_prepare
  make_auth_context_subsystem [NT_STATUS_OK]
../source3/auth/auth_generic.c:377: [2019/03/20 08:08:50.531400, all 3, pid=26839] auth_generic_prepare
  gensec_set_remote_address: [NT_STATUS_OK]
../source3/smbd/smb2_server.c:2687: [2019/03/20 08:08:50.558318, all 3, pid=26839] smbd_smb2_request_dispatch
  SMB2: cmd=SMB2_OP_NEGPROT [NT_STATUS_OK]
../source3/smbd/smb2_sesssetup.c:811: [2019/03/20 08:08:50.572723, all 3, pid=26839] smbd_smb2_session_setup_send
  in_session_id 0
../source3/auth/auth_generic.c:246: [2019/03/20 08:08:50.572850, all 3, pid=26839] auth_generic_prepare
  make_auth_context_subsystem [NT_STATUS_OK]
../source3/auth/auth_generic.c:377: [2019/03/20 08:08:50.572870, all 3, pid=26839] auth_generic_prepare
  gensec_set_remote_address: [NT_STATUS_OK]
../source3/smbd/smb2_sesssetup.c:866: [2019/03/20 08:08:50.572877, all 3, pid=26839] smbd_smb2_session_setup_send
  auth_generic_prepare [NT_STATUS_OK]
../source3/smbd/smb2_server.c:2687: [2019/03/20 08:08:50.572918, all 3, pid=26839] smbd_smb2_request_dispatch
  SMB2: cmd=SMB2_OP_SESSSETUP [NT_STATUS_OK]
../source3/librpc/crypto/gse.c:503: [2019/03/20 08:08:50.599304, all 1, pid=26839] gse_get_server_auth_token
  gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/dc1.domain1.local@DOMAIN1.LOCAL(kvno 76) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
../auth/gensec/spnego.c:544: [2019/03/20 08:08:50.599342, all 1, pid=26839] gensec_spnego_parse_negTokenInit
  SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
../auth/gensec/spnego.c:719: [2019/03/20 08:08:50.599360, all 2, pid=26839] gensec_spnego_server_negTokenTarg
  SPNEGO login failed: NT_STATUS_LOGON_FAILURE
../auth/gensec/gensec.c:476: [2019/03/20 08:08:50.599370, all 3, pid=26839] gensec_update_async_trigger
  gensec_update [NT_STATUS_LOGON_FAILURE]
../source3/smbd/smb2_server.c:3111: [2019/03/20 08:08:50.599393, all 3, pid=26839] smbd_smb2_request_error_ex
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:136

Any idea where to look for answer for this?

pszafer
  • 131
  • 4

1 Answers1

1

Last time I've got this error on Ubuntu 16.04.6 file server with Samba packages updated automatically in April to 4.3.11+dfsg-0ubuntu0.16.04.19. Win10 clients stops authenticating with server and the similar error message (Failed to find cifs/nas.mydomain.local@MYDOMAIN.LOCAL(kvno x) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96) in Samba server log. My setup have a lot common with yours, one Server 2016 AD DC, Ubuntu 16.04.6 Samba NAS, Windows clients. Difference in error is that in my case was listed my file server instead of DC in your case. Solved by downgrading Samba packages on NAS to previuos version (4.3.11+dfsg-0ubuntu0.16.04.17).

Seems that you have to at least try to check update log for Samba components, first on NAS and then laptop and check if downgrading them to previous versions will solve the problem.

kenga13
  • 41
  • 4