[Samba] Key table name malformed

lists lists at merit.unu.edu
Tue Apr 4 14:55:22 UTC 2017 

Hi,

We are having an issue, trying to install a domain member server.

I'm following the samba wiki:
- samba 4.6.1
- krb5.conf as recommended on wiki
- time synced
- kinit works
- dns works (DCs in resolv.conf)
- setup a basic smb.conf (pasted at the end of this email)
- edit nsswitch.conf to include winbind for passwd/group
and then finally "net ads join -U administrator -d5" fails with:

> ...
> ...(snipped)
> ...
> Host account for PROCESSING does not have service principal names.
> Retrieving the servicePrincipalNames failed.
> getaddrinfo: No address associated with hostname
> ads_domain_func_level: 2
> ads_domain_func_level: 2
> kerberos_secrets_store_des_salt: Storing salt "host/processing.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM"
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> smb_krb5_kt_open failed (Key table name malformed)
> ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal.
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'WRKGRP'
>             dns_domain_name          : 'SAMBA.COMPANY.COM'
>             forest_name              : 'SAMBA.COMPANY.COM'
>             dn                       : 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com'
>             domain_sid               : *
>                 domain_sid               : S-1-5-21-92843450-981953634-869174549
>             modified_config          : 0x00 (0)
>             error_string             : 'failed to create kerberos keytab'
>             domain_is_ad             : 0x01 (1)
>             set_encryption_types     : 0x00000000 (0)
>             result                   : WERR_GEN_FAILURE
> Failed to join domain: failed to create kerberos keytab
> return code = -1

The file /etc/krb5.keytab is NOT created. (I thought it should be 
created automatically on AD join)

When I ignore that and simply start winbind, the effect is that "wbinfo 
-u", "wbinfo -g", "id username" all work.

However: "getent passwd" does NOT work correctly:

> user1:*:22185:513::/home/WRKGRP/user1:/bin/false
> user2:*:29969:513::/home/WRKGRP/user2:/bin/false

The uid/gid IS taken from AD, but homedirectory and shell are NOT the 
ones defined in AD. (making it look like the old samba 4.1 situation, 
where winbind took uid/gid from AD, but shell / homedirectory were from 
a template)

I will paste the smb.conf below. For the rest: our AD appears to be 
working correctly...

The smb.conf of the domain member server:
> root at processing:/etc/samba# cat smb.conf
> [global]
>
> netbios name = processing
> workgroup = WRKGRP
> security = ADS
> realm = SAMBA.COMPANY.COM
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1000999
> idmap config WRKGRP:backend = ad
> idmap config WRKGRP:schema_mode = rfc2307
> idmap config WRKGRP:range = 500-999999
>
> winbind nss info = rfc2307

I have NO idea where to look... Suggestions?

More information about the samba mailing list