[Samba] Problem with keytab: "Client not found in Kerberos database"
Rowland Penny
rpenny at samba.org
Tue Dec 20 10:45:23 UTC 2016
On Tue, 20 Dec 2016 10:13:14 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> L.P.H. van Belle wrote:
>
> > check resolv.conf
>
> Points to two nearby instances of pdns recursor, which in turn
> forward domains "ad.example.net" and "5.168.192.in-addr.arpa" to the
> Samba servers.
Can I suggest you stop doing this, point your domain member at the DC
only.
>
> Rowland Penny wrote:
>
> > No, start by using the correct thing for '*':
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-9999999
>
> I wasn't aware that the default *had* to be tdb; the manpage at
> https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html
> gives examples which don't use tdb at all, e.g.
>
> [global]
> security = ads
> workgroup = CUSTOMER
> realm = CUSTOMER.COM
>
> idmap config * : backend = autorid
> idmap config * : range = 1000000-1999999
>
>
> Is it really wrong to use autorid for this?
Best practice is to use 'tdb', there is no need to actually know the
IDs for any of the '*' domain users & groups. 'tdb' is known to work.
>
> Anyway: I have followed your advice, switched to tdb, left and
> rejoined domain, and regenerated the keytab. The problem is still
> there.
When you join the domain with 'kerberos method = secrets and keytab',
you should get a keytab created without having to manually create it.
>
> While doing this I found one stupid problem which was visible in my
> original post:
>
> imdap config AD : backend = rid
>
>
> Arrgh!!! (I noticed this because getent passwd 'AD\brian' started
> returning a tdb-assigned ID 1000000 instead of the RID-based ID)
>
> But after fixing that (and net cache flush and restarting winbind),
> still no joy:
How did you 'fix' this, on face value, there is nothing wrong with that
line.
Rowland
More information about the samba
mailing list