[Samba] Key table name malformed
lists
lists at merit.unu.edu
Tue Apr 4 14:55:22 UTC 2017
Hi,
We are having an issue, trying to install a domain member server.
I'm following the samba wiki:
- samba 4.6.1
- krb5.conf as recommended on wiki
- time synced
- kinit works
- dns works (DCs in resolv.conf)
- setup a basic smb.conf (pasted at the end of this email)
- edit nsswitch.conf to include winbind for passwd/group
and then finally "net ads join -U administrator -d5" fails with:
> ...
> ...(snipped)
> ...
> Host account for PROCESSING does not have service principal names.
> Retrieving the servicePrincipalNames failed.
> getaddrinfo: No address associated with hostname
> ads_domain_func_level: 2
> ads_domain_func_level: 2
> kerberos_secrets_store_des_salt: Storing salt "host/processing.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM"
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> smb_krb5_kt_open failed (Key table name malformed)
> ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal.
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : 'WRKGRP'
> dns_domain_name : 'SAMBA.COMPANY.COM'
> forest_name : 'SAMBA.COMPANY.COM'
> dn : 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com'
> domain_sid : *
> domain_sid : S-1-5-21-92843450-981953634-869174549
> modified_config : 0x00 (0)
> error_string : 'failed to create kerberos keytab'
> domain_is_ad : 0x01 (1)
> set_encryption_types : 0x00000000 (0)
> result : WERR_GEN_FAILURE
> Failed to join domain: failed to create kerberos keytab
> return code = -1
The file /etc/krb5.keytab is NOT created. (I thought it should be
created automatically on AD join)
When I ignore that and simply start winbind, the effect is that "wbinfo
-u", "wbinfo -g", "id username" all work.
However: "getent passwd" does NOT work correctly:
> user1:*:22185:513::/home/WRKGRP/user1:/bin/false
> user2:*:29969:513::/home/WRKGRP/user2:/bin/false
The uid/gid IS taken from AD, but homedirectory and shell are NOT the
ones defined in AD. (making it look like the old samba 4.1 situation,
where winbind took uid/gid from AD, but shell / homedirectory were from
a template)
I will paste the smb.conf below. For the rest: our AD appears to be
working correctly...
The smb.conf of the domain member server:
> root at processing:/etc/samba# cat smb.conf
> [global]
>
> netbios name = processing
> workgroup = WRKGRP
> security = ADS
> realm = SAMBA.COMPANY.COM
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1000999
> idmap config WRKGRP:backend = ad
> idmap config WRKGRP:schema_mode = rfc2307
> idmap config WRKGRP:range = 500-999999
>
> winbind nss info = rfc2307
I have NO idea where to look... Suggestions?
More information about the samba
mailing list