[Samba] net ads join's generated keytab and solaris

mcm75 christian.mchugh at NAU.EDU
Wed Jun 14 17:31:13 GMT 2006

Hey all. I am working on getting solaris 10 and 9 clients authenticating to 
active directory. We have a test setup with windows 2003 r2 and the unix 
fields filled out. All was going well with a combination of pam_krb5 and 
nss_ldap and ldap mappings, including working automouting of home directories. 
This included orginally, set up instructions from microsoft where they said to 
create a user account, assign a password, and generate a keytab to transfer to 
the unix host to import. This process also went well.

This changed when we tried to use a newer samba and share = domain. Which 
required samba to join active directory. This played with our keytab settings 
as it tried to create another machine account. We decided it would be easier 
to let samba handle the joining and managing of the krb5.keytab file as it did 
it more "properly" anyway. Now we can't seem to get ssh authentication working 
again. kinit username works as does kpasswd. We can run net ads keytab 
commands and net ads changetrustpw fine, but when we try to do what worked 
before, ssh username at localhost we now get the error "Key table entry not 
found". We have spent considerable time messing with the local hostname 
changing it from FQDN to short and whatnot, but to no avail. They keytab also 
appears to have entries for both, so I don't understand this error. DNS works 
in both directions for this host, and like I said when creating a keytab from 
a user account on windows, manually, this process works.

If I run something like "kinit -k host/mundi at TESTAUTH.NETWORK" I get a 
preauthentication failed message. If insted of the mundi I make that fully 
quallified I get the client not found in kerberos database error.

I should also mention in order to get this far I had to add supported_enctypes 
= des-cbc-md5 and various other lines to krb5.conf to only allow that encoding 
as solaris does not allow many types. This successfuly limited my keytab down 
to only those enc types. I also added to smb.conf use kerberos keytab = yes, 
to have a unified system domain join, ie ssh and samba would both be 
preauthenicated from the machine account samba created.

Attached are possibly helpful log and config files.

In short, how can I get ssh authentication working again?

Christian McHugh
Northern Arizona University

More information about the samba mailing list