Problem: No access on networkpaths and shares

scheinig · January 17, 2020, 10:48am

Problem:

Users have no access on networkpaths and shares.

Investigation:

Logfiles:
/var/log/samba/log.samba

GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find master$@SCHEIN.IG(kvno 5) in keytab FILE:/etc/krb5.keytab (arcfour-hmac-md5)

Now you have to check:

get the KeyversionNumber of the Server

univention-ldapsearch -LLLo ldif-wrap=no cn=master krb5KeyVersionNumber
dn: cn=master,cn=dc,cn=computers,dc=schein,dc=ig
krb5KeyVersionNumber: 5

Check the Keytab entries:

ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal                            Date        Aliases
  1  des-cbc-crc              HOST/master@SCHEIN.IG               2020-01-16··
  1  des-cbc-crc              HOST/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  des-cbc-crc              MASTER$@SCHEIN.IG                   2020-01-16··
  1  des-cbc-md5              HOST/master@SCHEIN.IG               2020-01-16··
  1  des-cbc-crc              host/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  des-cbc-md5              MASTER$@SCHEIN.IG                   2020-01-16··
  1  arcfour-hmac-md5         HOST/master@SCHEIN.IG               2020-01-16··
  1  des-cbc-crc              ldap/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  arcfour-hmac-md5         MASTER$@SCHEIN.IG                   2020-01-16··
  1  aes128-cts-hmac-sha1-96  HOST/master@SCHEIN.IG               2020-01-16··
  1  des-cbc-md5              HOST/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  aes128-cts-hmac-sha1-96  MASTER$@SCHEIN.IG                   2020-01-16··
  1  des-cbc-md5              host/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  des-cbc-md5              ldap/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  aes256-cts-hmac-sha1-96  MASTER$@SCHEIN.IG                   2020-01-16··
  1  arcfour-hmac-md5         HOST/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  arcfour-hmac-md5         host/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  arcfour-hmac-md5         ldap/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  aes128-cts-hmac-sha1-96  HOST/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  aes128-cts-hmac-sha1-96  host/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  aes128-cts-hmac-sha1-96  ldap/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  aes256-cts-hmac-sha1-96  HOST/master@SCHEIN.IG               2020-01-16··
  1  aes256-cts-hmac-sha1-96  HOST/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  aes256-cts-hmac-sha1-96  host/master.schein.ig@SCHEIN.IG  2020-01-16··
  1  aes256-cts-hmac-sha1-96  ldap/master.schein.ig@SCHEIN.IG  2020-01-16··

Lokkup the samba database for the keyversionnumber

ldbsearch -H /var/lib/samba/private/secrets.ldb 'samAccountName=schein$' msDS-KeyVersionNumber | ldapsearch-wrapper
# record 1
dn: flatname=SCHEIN,cn=Primary Domains
msDS-KeyVersionNumber: 1

ldbsearch -H /var/lib/samba/private/sam.ldb 'samAccountName=master$' msDS-KeyVersionNumber | ldapsearch-wrapper
# record 1
dn: CN=MASTER,OU=Domain Controllers,DC=schein,DC=ig
msDS-KeyVersionNumber: 1

Solution

In this case the keyversionnumber in the ldap is different from the samba ldap. The easiest way to change this is using the server-password-change.