[Samba] Key table name malformed

L.P.H. van Belle belle at bazuin.nl
Wed Apr 5 07:54:38 UTC 2017 

Hm strange, i dont see it. 

Can you upgrade to 4.6.2? see if that helps. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
> Verzonden: woensdag 5 april 2017 9:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Key table name malformed
> 
> Hoi Louis,
> 
> The thing is that the keytab is not generated! That is the issue at
> hand. The join appears to have succeeded:
> 
> > root at processing:~#  net ads testjoin
> > Join is OK
> > root at processing:~#
> 
> However no keytab is generated during join, despite having in the domain
> member smb.conf:
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> 
> And the reason why it's not generated:
> 
> > smb_krb5_kt_open failed (Key table name malformed)
> > ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal.
> > libnet_Join:
> >     libnet_JoinCtx: struct libnet_JoinCtx
> >         out: struct libnet_JoinCtx
> >             account_name             : NULL
> >             netbios_domain_name      : 'WRKGRP'
> >             dns_domain_name          : 'SAMBA.COMPANY.COM'
> >             forest_name              : 'SAMBA.COMPANY.COM'
> >             dn                       :
> 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com'
> >             domain_sid               : *
> >                 domain_sid               : S-1-5-21-92843450-981953634-
> 869174549
> >             modified_config          : 0x00 (0)
> >             error_string             : 'failed to create kerberos
> keytab'
> >             domain_is_ad             : 0x01 (1)
> >             set_encryption_types     : 0x00000000 (0)
> >             result                   : WERR_GEN_FAILURE
> > Failed to join domain: failed to create kerberos keytab
> > return code = -1
> 
> More inline:
> 
> On 04/05/2017 09:25 AM, L.P.H. van Belle via samba wrote:
> > This looks all good.
> > Only one thing in the config, you can remove :
> > winbind nss info = rfc2307
> Yes, this remained from before I discovered the 4.6.x option
>   "idmap config WRKGRP:unix_nss_info = yes"
> 
> > Can you check the content of the keytab? klist -ke /etc/krb5.keytab
> > post ( if needed anonymized ) the content you see.
> There is no keytab! :-(
> 
> > And did you by accident run : net ads join , multiple times on this
> server?
> Yes, but the first time exactly this occured already. I tried a few
> times again. I even tried a complete fresh installation.
> 
> 
> > Looks to me there is something with net ads keytab going on.
> Yes, exactly. It's not there, and it's not created.
> 
> Anyway ideas why that could be?
> 
> The error seems pretty low-level and frightening:
> 
> smb_krb5_kt_open failed (Key table name malformed)
> 
> MJ
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list