[Samba] Problem with keytab: "Client not found in Kerberos database"

Rowland Penny rpenny at samba.org
Tue Dec 20 10:45:23 UTC 2016


On Tue, 20 Dec 2016 10:13:14 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:

> L.P.H. van Belle wrote:
>
>  > check resolv.conf
> 
> Points to two nearby instances of pdns recursor, which in turn
> forward domains "ad.example.net" and "5.168.192.in-addr.arpa" to the
> Samba servers.

Can I suggest you stop doing this, point your domain member at the DC
only.

> 
> Rowland Penny wrote:
> 
>  > No, start by using the correct thing for '*':
>  >
>  >  idmap config * : backend = tdb
>  >  idmap config * : range = 1000000-9999999
> 
> I wasn't aware that the default *had* to be tdb; the manpage at
> https://www.samba.org/samba/docs/man/manpages-3/idmap_autorid.8.html
> gives examples which don't use tdb at all, e.g.
> 
> [global]
> 	security = ads
> 	workgroup = CUSTOMER
> 	realm = CUSTOMER.COM
> 
> 	idmap config * : backend = autorid
> 	idmap config * : range = 1000000-1999999
> 
> 
> Is it really wrong to use autorid for this?

Best practice is to use 'tdb', there is no need to actually know the
IDs for any of the '*' domain users & groups. 'tdb' is known to work.

> 
> Anyway: I have followed your advice, switched to tdb, left and
> rejoined domain, and regenerated the keytab. The problem is still
> there.

When you join the domain with 'kerberos method = secrets and keytab',
you should get a keytab created without having to manually create it.

> 
> While doing this I found one stupid problem which was visible in my 
> original post:
> 
>          imdap config AD : backend = rid
> 
> 
> Arrgh!!!  (I noticed this because getent passwd 'AD\brian' started 
> returning a tdb-assigned ID 1000000 instead of the RID-based ID)
> 
> But after fixing that (and net cache flush and restarting winbind), 
> still no joy:

How did you 'fix' this, on face value, there is nothing wrong with that
line.

Rowland



More information about the samba mailing list