[Samba] My 'net ads keytab' can't write to keytab in samba 3.0.6

Al Al al_al_al at mail.com
Mon Oct 25 21:58:19 GMT 2004


Hello,

I'm trying to authenticate all our linux machines to our ADS domain.  As of now, I'm still in the process of setting up all the individual components before pushing the setup out.  I've made quite a bit of progress, but I've hit a hitch when trying to add the machine's service principals (the 'host' primary specifically) to its keytab.
I've searched, but I haven't seen this particular issue addressed.  I get the same results when doing 'net ads join' and 'net ads keytab create/add/flush' (which makes sense because they all end up calling ads_keytab_add_entry anyway). Here's my output:

# net ads join SanJose/KW/Computers -d 3
[2004/10/25 12:56:30, 3] param/loadparm.c:lp_load(3920)
  lp_load: refreshing parameters
[2004/10/25 12:56:30, 3] param/loadparm.c:init_globals(1324)
  Initialising global parameters
[2004/10/25 12:56:30, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2004/10/25 12:56:30, 3] param/loadparm.c:do_section(3413)
  Processing section "[global]"
[2004/10/25 12:56:30, 2] lib/interface.c:add_interface(79)
  added interface ip=10.50.195.251 bcast=10.50.199.255 nmask=255.255.248.0
[2004/10/25 12:56:30, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 10.50.192.51
[2004/10/25 12:56:30, 3] libads/ldap.c:ads_server_info(2318)
  got ldap server name wntnasj at NA.OURCOMPANY.COM, using bind path: dc=NA,dc=OURCOMPANY,dc=COM
[2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2004/10/25 12:56:30, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
  ads_sasl_spnego_bind: got server principal name =wntnasj$@NA.OURCOMPANY.COM
[2004/10/25 12:56:30, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(252)
  Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Mon, 25 Oct 2004 13:10:03 GMT
[2004/10/25 12:56:30, 0] libads/ldap.c:ads_add_machine_acct(1283)
  ads_add_machine_acct: Host account for lnx251 already exists - modifying old account
Using short domain name -- WINNTDOM
[2004/10/25 12:56:41, 2] libads/kerberos_keytab.c:ads_keytab_add_entry(79)
  ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5.keytab
[2004/10/25 12:56:41, 3] libads/kerberos_keytab.c:ads_keytab_add_entry(122)
  ads_keytab_add_entry: Will try to delete old keytab entries
[2004/10/25 12:56:41, 3] libads/kerberos_keytab.c:ads_keytab_add_entry(231)
  ads_keytab_add_entry: adding keytab entry for (host/lnx251.ourcompany.com at NA.OURCOMPANY.COM) with encryption type (18) and version (3)
[2004/10/25 12:56:41, 1] libads/kerberos_keytab.c:ads_keytab_add_entry(236)
  ads_keytab_add_entry: adding entry to keytab failed (Cannot write to specified key table)
[2004/10/25 12:56:41, 1] libads/kerberos_keytab.c:ads_keytab_create_default(418)
  ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.
[2004/10/25 12:56:41, 1] utils/net_ads.c:net_ads_join(829)
  Error creating host keytab!
Joined 'LNX251' to realm 'NA.OURCOMPANY.COM'
[2004/10/25 12:56:41, 2] utils/net.c:main(792)
  return code = 0


I've tried manually creating a keytab with ktutil, and it still doesn't help.  I checked the kerberos error codes, and it checks out, but I'm guessing that writability to the keytab isn't the real issue at hand.

Any ideas?

I'm using the following:

samba-3.0.6
krb5-workstation-1.3.4


Regards,
Al
-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm



More information about the samba mailing list