[Samba] wiki change request. page missing in index.

L.P.H. van Belle belle at bazuin.nl
Tue Aug 8 14:39:51 UTC 2017

Im notice the following.
When you go to : 
search site: keytab, nothing :-( 
I cant find anything about keytabs..   ( not on the first sight ), which i needed... 
but there is this page, ( google was your friend ) : https://wiki.samba.org/index.php/Generating_Keytabs 
Can someone add this in the Advanced section and make change where needed.
after this part, or if you have a better place, but its usefull info imho. 
This should print something like this: 

'ACCOUNTNAME' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96

-------- ^^^^ already on wiki ----- 

A sAMAccount name can be the hostname of a computer

Then you use: net ads enctypes set HOSTNAME$ 
! Point of attention: HOSTNAME$.

The hostname in "how its defined in your smb.conf, and after you checked the current keytab file. 
(klist -ke  or klist -ke /path_to/your.keytab_file)
If the hostname is lowercased, and the netbios name is UPPERCASED, your auth wil fail.
for example :  
kinit -k hostname$ /etc/krb5.keytab     not working
but  :  
kinit -k HOSTNAME$ /etc/krb5.keytab     working
Howto use these settings in smb.conf, also a point of attention, this example is not the samba default: 
dedicated keytab file = /etc/krb5.keytab  
kerberos method = secrets and keytab 
Please read man smb.conf so you know what these 2 setting exact do. 
For example, dedicated keytab file setting is used for example when you also need extra UPN/SPN's.
This depend on how you use it and how you configure it. NFS is such example. 
The hostname used also in smb.conf :     netbios name = ..... 
The default is adapt the hostname of the server ( in caps ). 
( check: testparm -vs | grep "netbios name" ) 
check you keytab file.  
klist -ke |sort   ( use sort because is make it easier to see where what is missing, for example to check if you have 5 encryption types. ) 
net ads keytab create  ( used on a domain member ) 
This recreates the keytab file, based on the location of dedicated keytab file, in this example, /etc/krb5.keytab 
backup your old keytab file, stop samba/winbind , and recreate the new one. 
If you did not define dedicated keytab file, the keytab file is in /var/lib/samba/private/secret.keytab  (on debian) 
! Tip, if you add UPN/SPN's an account, ( for example HOSTNAME$ ) 
the recreated the keytab now also contains you new SPN/UPN. 
check again if all encryptions are there. 
and chech you rights on the keytab file.
chmod 640 /etc/krb5.keytab     ( its created on debian with 600, i need 640 ) 

More information about the samba mailing list