[Samba] Samba 4 krb5.keytab confusion

steve steve at steve-ss.com
Sun Jan 8 02:13:35 MST 2012 

Hi
I have Samba 4 installed and working. I recently changed FQDN to dns 
name hh3.hh3.site. It works OK and e.g. on a windows 7 box which joined 
the domain, users can logon. But I have a mess in the keytab:

klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    2 HH3$@HH3.HH1.SITE
    2 HH3$@HH3.HH1.SITE
    2 HH3$@HH3.HH1.SITE
    2 host/HH3 at HH3.HH1.SITE
    2 host/HH3 at HH3.HH1.SITE
    2 host/HH3 at HH3.HH1.SITE
    2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
    2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
    2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
    2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
    2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
    2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
    2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
    2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
    2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
    2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
    2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
    2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
    2 host/hh3 at HH3.HH1.SITE
    2 host/hh3 at HH3.HH1.SITE
    2 host/hh3 at HH3.HH1.SITE
    2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
    2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
    2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
    2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
    2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
    2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
    2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
    2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
    2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
    2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
    2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
    2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
    2 HH3$@HH3.SITE
    2 HH3$@HH3.SITE
    2 HH3$@HH3.SITE
    2 host/HH3 at HH3.SITE
    2 host/HH3 at HH3.SITE
    2 host/HH3 at HH3.SITE
    2 host/hh3.hh3.site at HH3.SITE
    2 host/hh3.hh3.site at HH3.SITE
    2 host/hh3.hh3.site at HH3.SITE
    2 host/HH3.HH3.SITE at HH3.SITE
    2 host/HH3.HH3.SITE at HH3.SITE
    2 host/HH3.HH3.SITE at HH3.SITE
    2 host/HH3.hh3.site at HH3.SITE
    2 host/HH3.hh3.site at HH3.SITE
    2 host/HH3.hh3.site at HH3.SITE
    2 host/hh3.HH3.SITE at HH3.SITE
    2 host/hh3.HH3.SITE at HH3.SITE
    2 host/hh3.HH3.SITE at HH3.SITE
    2 host/hh3 at HH3.SITE
    2 host/hh3 at HH3.SITE
    2 host/hh3 at HH3.SITE
    2 cifs/hh3.hh3.site at HH3.SITE
    2 cifs/hh3.hh3.site at HH3.SITE
    2 cifs/hh3.hh3.site at HH3.SITE
    2 cifs/HH3.HH3.SITE at HH3.SITE
    2 cifs/HH3.HH3.SITE at HH3.SITE
    2 cifs/HH3.HH3.SITE at HH3.SITE
    2 cifs/HH3.hh3.site at HH3.SITE
    2 cifs/HH3.hh3.site at HH3.SITE
    2 cifs/HH3.hh3.site at HH3.SITE
    2 cifs/hh3.HH3.SITE at HH3.SITE
    2 cifs/hh3.HH3.SITE at HH3.SITE
    2 cifs/hh3.HH3.SITE at HH3.SITE
    1 steve4 at HH3.SITE
    1 steve4 at HH3.SITE
    1 steve4 at HH3.SITE
    2 steve5 at HH3.SITE
    2 steve5 at HH3.SITE
    2 steve5 at HH3.SITE
    1 lynn2 at HH3.SITE
    1 lynn2 at HH3.SITE
    1 lynn2 at HH3.SITE

This all seems OK:

Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46585 for 
STEVE-PC$@HH3.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-08T09:35:01 starttime: 
2012-01-08T09:35:16 endtime: 2012-01-08T19:35:01 renew till: 
2012-01-15T09:35:01

Kerberos: TGS-REQ steve4 at HH3.SITE from ipv4:192.168.1.2:46577 for 
host/steve-pc.hh3.site at HH3.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-08T09:35:06 starttime: 
2012-01-08T09:35:06 endtime: 2012-01-08T19:35:06 renew till: 
2012-01-15T09:35:06

Got user=[] domain=[] workstation=[STEVE-PC] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user 
[]\[]@[STEVE-PC]
auth_check_password_send: mapped user is: [CACTUS]\[]@[STEVE-PC]


But I also get this:

Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46588 for 
steve-pc$\@HH3.SITE at HH3.SITE [canonicalize, request-anonymous, 
renewable, forwardable]
Kerberos: Bad request for constrained delegation
Kerberos: constrained delegation from steve-pc$@HH3.SITE 
(steve-pc$@HH3.SITE) as steve-pc$@HH3.SITE to 
steve-pc$\@HH3.SITE at HH3.SITE not allowed
Kerberos: Failed building TGS-REP to ipv4:192.168.1.2:46588

Which I think is due to the keytab

smb.conf contains:

[global]
     server role = domain controller
     workgroup = CACTUS
     realm = hh3.site
     netbios name = HH3
     passdb backend = samba4
     template shell = /bin/bash

So, 2 very newbie questions:

1. Is there anyway I can tidy up the keytab to see if removes that error?
2. In the above example, steve-pc is a windows 7 client which is joined 
to the domain called CACTUS. Why doesn't steve-pc$ appear in the keytab 
listing?

Thanks
Steve.

More information about the samba mailing list