Re: Problem Accessing Samba share from Windows workstation via DNS Round Robin

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi Simo,

It's ok I've worked it out. You were spot on wrt missing 'cifs' keytab entries. I kinda expected these to be added when creating the keytab but I guess not the case. All the doco I had read revolved around keytab 'host' entries so I couldn't see what was missing (probably just my ignorance!:) 

I had to add them afterwards using: "net ads keytab add cifs -U <spn>" and this did the trick!

Is this a bug? The following link suggests it is a bug too? --> https://bugzilla.samba.org/show_bug.cgi?id=8004 

Anyway thank you very much for pointing me in the right direction!

Cheers,
Peter Tan
Technical Specialist
Enterprise Business Solutions Branch
IPSWICH CITY COUNCIL
PO Box 191 Ipswich Queensland 4305
T| 07 3810 7327
E:  ptan@xxxxxxxxxxxxxxxxxx 
W: www.ipswich.qld.gov.au

 Please consider the environment before printing this email


-----Original Message-----
From: Peter Tan 
Sent: Monday, 23 January 2012 11:21 AM
To: 'simo'
Cc: samba@xxxxxxxxxxxxxxx
Subject: RE:  Problem Accessing Samba share from Windows workstation via DNS Round Robin

Hi Simo,

Thanks again for your reply.

I'm not sure which keys are missing? Should there be an entry for "cifs"?

How do I add the missing key(s)?

Thanking you in advance.
Peter Tan


-----Original Message-----
From: simo [mailto:idra@xxxxxxxxx]
Sent: Monday, 23 January 2012 11:07 AM
To: Peter Tan
Cc: samba@xxxxxxxxxxxxxxx
Subject: Re:  Problem Accessing Samba share from Windows workstation via DNS Round Robin

On Mon, 2012-01-23 at 09:58 +1000, Peter Tan wrote: 
> Hi Simo,
> 
> Thanks for your email. (It is good to get some reassurances I am on 
> the right track...:)
> 
> "My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials."
> 
> This is how I have set it up (as per samba ctdb wiki documentation) using "clusterpub" but it just refuses to let me map "\\clusterpub\share" on my windows client. I can hit the individual node's share using IP: \\10.101.4.16\share & \\10.101.4.17\share and these work fine (which is really working as per your option two).
> 
> As given before, incredibly I am able to successfully connect to \\clusterpub\share using smbclient from one of the linux nodes using my window domain login. I am confident winbind is working ok. 
> 
> It looks like Kerberos is having a problem. When trying to map from windows I get the following error in /var/log/messages (on the node that dns happens to send me to): "krb5_rd_req failed (Key table entry not found)".
> 
> # klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    2 host/clusterpub.mydomain.au@xxxxxxxxxxx (DES cbc mode with CRC-32)
>    2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5)
>    2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5)
>    2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32)
>    2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5)
>    2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5)
>    2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32)
>    2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5)
>    2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5)

I think you are missing keys for cifs/fqdn@REALM

Simo.


--
Simo Sorce
Samba Team GPL Compliance Officer <simo@xxxxxxxxx> Principal Software Engineer at Red Hat, Inc. <simo@xxxxxxxxxx>






The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council does not accept liability for any loss or damage incurred directly or indirectly caused by opening this email and/or any attachments.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



[Linux]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux