[Samba] Samba 4 krb5.keytab confusion
steve
steve at steve-ss.com
Sun Jan 8 02:13:35 MST 2012
Hi
I have Samba 4 installed and working. I recently changed FQDN to dns
name hh3.hh3.site. It works OK and e.g. on a windows 7 box which joined
the domain, users can logon. But I have a mess in the keytab:
klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 HH3$@HH3.HH1.SITE
2 HH3$@HH3.HH1.SITE
2 HH3$@HH3.HH1.SITE
2 host/HH3 at HH3.HH1.SITE
2 host/HH3 at HH3.HH1.SITE
2 host/HH3 at HH3.HH1.SITE
2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
2 host/hh3.hh3.hh1.site at HH3.HH1.SITE
2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
2 host/HH3.hh3.hh1.site at HH3.HH1.SITE
2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 host/hh3 at HH3.HH1.SITE
2 host/hh3 at HH3.HH1.SITE
2 host/hh3 at HH3.HH1.SITE
2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/hh3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/HH3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/HH3.hh3.hh1.site at HH3.HH1.SITE
2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 cifs/hh3.HH3.HH1.SITE at HH3.HH1.SITE
2 HH3$@HH3.SITE
2 HH3$@HH3.SITE
2 HH3$@HH3.SITE
2 host/HH3 at HH3.SITE
2 host/HH3 at HH3.SITE
2 host/HH3 at HH3.SITE
2 host/hh3.hh3.site at HH3.SITE
2 host/hh3.hh3.site at HH3.SITE
2 host/hh3.hh3.site at HH3.SITE
2 host/HH3.HH3.SITE at HH3.SITE
2 host/HH3.HH3.SITE at HH3.SITE
2 host/HH3.HH3.SITE at HH3.SITE
2 host/HH3.hh3.site at HH3.SITE
2 host/HH3.hh3.site at HH3.SITE
2 host/HH3.hh3.site at HH3.SITE
2 host/hh3.HH3.SITE at HH3.SITE
2 host/hh3.HH3.SITE at HH3.SITE
2 host/hh3.HH3.SITE at HH3.SITE
2 host/hh3 at HH3.SITE
2 host/hh3 at HH3.SITE
2 host/hh3 at HH3.SITE
2 cifs/hh3.hh3.site at HH3.SITE
2 cifs/hh3.hh3.site at HH3.SITE
2 cifs/hh3.hh3.site at HH3.SITE
2 cifs/HH3.HH3.SITE at HH3.SITE
2 cifs/HH3.HH3.SITE at HH3.SITE
2 cifs/HH3.HH3.SITE at HH3.SITE
2 cifs/HH3.hh3.site at HH3.SITE
2 cifs/HH3.hh3.site at HH3.SITE
2 cifs/HH3.hh3.site at HH3.SITE
2 cifs/hh3.HH3.SITE at HH3.SITE
2 cifs/hh3.HH3.SITE at HH3.SITE
2 cifs/hh3.HH3.SITE at HH3.SITE
1 steve4 at HH3.SITE
1 steve4 at HH3.SITE
1 steve4 at HH3.SITE
2 steve5 at HH3.SITE
2 steve5 at HH3.SITE
2 steve5 at HH3.SITE
1 lynn2 at HH3.SITE
1 lynn2 at HH3.SITE
1 lynn2 at HH3.SITE
This all seems OK:
Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46585 for
STEVE-PC$@HH3.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-08T09:35:01 starttime:
2012-01-08T09:35:16 endtime: 2012-01-08T19:35:01 renew till:
2012-01-15T09:35:01
Kerberos: TGS-REQ steve4 at HH3.SITE from ipv4:192.168.1.2:46577 for
host/steve-pc.hh3.site at HH3.SITE [canonicalize, renewable, forwardable]
Kerberos: TGS-REQ authtime: 2012-01-08T09:35:06 starttime:
2012-01-08T09:35:06 endtime: 2012-01-08T19:35:06 renew till:
2012-01-15T09:35:06
Got user=[] domain=[] workstation=[STEVE-PC] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user
[]\[]@[STEVE-PC]
auth_check_password_send: mapped user is: [CACTUS]\[]@[STEVE-PC]
But I also get this:
Kerberos: TGS-REQ steve-pc$@HH3.SITE from ipv4:192.168.1.2:46588 for
steve-pc$\@HH3.SITE at HH3.SITE [canonicalize, request-anonymous,
renewable, forwardable]
Kerberos: Bad request for constrained delegation
Kerberos: constrained delegation from steve-pc$@HH3.SITE
(steve-pc$@HH3.SITE) as steve-pc$@HH3.SITE to
steve-pc$\@HH3.SITE at HH3.SITE not allowed
Kerberos: Failed building TGS-REP to ipv4:192.168.1.2:46588
Which I think is due to the keytab
smb.conf contains:
[global]
server role = domain controller
workgroup = CACTUS
realm = hh3.site
netbios name = HH3
passdb backend = samba4
template shell = /bin/bash
So, 2 very newbie questions:
1. Is there anyway I can tidy up the keytab to see if removes that error?
2. In the above example, steve-pc is a windows 7 client which is joined
to the domain called CACTUS. Why doesn't steve-pc$ appear in the keytab
listing?
Thanks
Steve.
More information about the samba
mailing list