[Samba] Key table name malformed

mj lists at merit.unu.edu
Wed Apr 5 07:40:27 UTC 2017 

Hoi Louis,

The thing is that the keytab is not generated! That is the issue at 
hand. The join appears to have succeeded:

> root at processing:~#  net ads testjoin
> Join is OK
> root at processing:~#

However no keytab is generated during join, despite having in the domain 
member smb.conf:
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab

And the reason why it's not generated:

> smb_krb5_kt_open failed (Key table name malformed)
> ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal.
> libnet_Join:
>     libnet_JoinCtx: struct libnet_JoinCtx
>         out: struct libnet_JoinCtx
>             account_name             : NULL
>             netbios_domain_name      : 'WRKGRP'
>             dns_domain_name          : 'SAMBA.COMPANY.COM'
>             forest_name              : 'SAMBA.COMPANY.COM'
>             dn                       : 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com'
>             domain_sid               : *
>                 domain_sid               : S-1-5-21-92843450-981953634-869174549
>             modified_config          : 0x00 (0)
>             error_string             : 'failed to create kerberos keytab'
>             domain_is_ad             : 0x01 (1)
>             set_encryption_types     : 0x00000000 (0)
>             result                   : WERR_GEN_FAILURE
> Failed to join domain: failed to create kerberos keytab
> return code = -1

More inline:

On 04/05/2017 09:25 AM, L.P.H. van Belle via samba wrote:
> This looks all good.
> Only one thing in the config, you can remove :
> winbind nss info = rfc2307
Yes, this remained from before I discovered the 4.6.x option
  "idmap config WRKGRP:unix_nss_info = yes"

> Can you check the content of the keytab? klist -ke /etc/krb5.keytab
> post ( if needed anonymized ) the content you see.
There is no keytab! :-(

> And did you by accident run : net ads join , multiple times on this server?
Yes, but the first time exactly this occured already. I tried a few 
times again. I even tried a complete fresh installation.


> Looks to me there is something with net ads keytab going on.
Yes, exactly. It's not there, and it's not created.

Anyway ideas why that could be?

The error seems pretty low-level and frightening:

smb_krb5_kt_open failed (Key table name malformed)

MJ

More information about the samba mailing list