samba4 keytab management

srikumar108 at srikumar108 at
Sat Sep 4 17:28:05 MDT 2010


Thanks foir your response.

> I looked at the ssh user through ADUC, and the ssh a/c is not locked > or expired. 
Yeah but we need to be sure that you can get a ticket runas /user:DOMAIN\user cmd is also an option in windows. 
> After getting a new keytab and trying to kinit, I am getting the message: 
> kinit: KDC has no support for encryption type while getting initial > credentials 
> From samba.log: 
> Kerberos: No client key matching pa-data (aes256-cts-hmac-sha1-96) -- > ssh at MYNET.COM 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Well that's obvious: you do not have an AES key for the user, which can be quite logical. 
Do you change the forest/domain level of your samba4 ? if not did you specified  any level information on provision ? 

I am now running samba with a fresh provision. The provision command was:

provision --domain=NYCCNET         --host-name=laxmi --host-ip= \
        --adminpass=Adhikar1 --server-role=dc

It could be worth to dig this pb but in the short time I suggest to set this in your /etc/krb5.conf: 


default_tgs_enctypes =  rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc 

default_tkt_enctypes =  rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc 


in the [libdefaults] section 


OK, I tried that:

# kinit -k -t imap.keytab imap
kinit: Key table entry not found while getting initial credentials

More information about the samba-technical mailing list