[Samba] net ads keytab add has no visible effects
Max Ober
max at mober.at
Sun Feb 26 00:52:46 UTC 2017
Hi!
I think I ran into the same Problem.
What I tried so far:
1)
* Adopt SPNs on the DC with samba-tool spn
* Create keytab on Member with net ads keytab create
* Result:
** klist and net ads keytab list on Member match
** samba-tool spn list on DC doesn't
2)
* Clear SPNs from Member via net ads keytab flush
* Result:
** net ads keytab list on Member is empty
** samba-tool spn list on DC is empty too
3)
* Create SPNs from Member via net ads keytab add
* Create keytab on Member with net ads keytab create
* Result:
** keytab and net ads list are matching on Member
** samba-tool spn list on DC is empty
4) ? Solution ?
* Flush SPNs from Member (net ads keytab flush)
* Adopt SPNs on DC (samba-tool spn)
* Create Keytab on member (net ads keytab create)
* Result:
** keytab, net ads list and samba-tool spn list are matching
Versions:
DC: samba 4.5.4 on Arch Linux
Member: samba 4.4.8 on FreeBSD
Is there any incompatibility, am I doing something wrong or is this a bug?
Regards,
Max
> Hai,
>
> You can do the following.
>
> Login on the DC as root.
> Kinit Administrator
>
> samba-tool spn add HTTP/hostname.your.domain.tld HOSTNAME$
> (optional if needed: samba-tool spn add HTTP/hostname HOSTNAME$ )
>
> Now on the member.
> mv /etc/krb5.keytab /etc/krb5.keytab.backup
>
> net ads keytab create -Uadministrator
> if that does not work, this is a bit dirty but it works also.
> net ads join -Uadministrator
> And yes a "re-join again", strange but it gives a different keytab,
> it does not change anything in the currect setup/settings.
> But i does recreate you keytab file.
>
>
> And check the keytab again for the new entries.
> klist -ke /etc/krb5.keytab
>
> Restart samba/winbind
>
> This works fine for me. ( samba 4.5.3 )
>
> And this is a must have in you smb.conf
>
> # renew the kerberos ticket
> winbind refresh tickets = yes
>
>
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Maciej
Piechotka
>> via samba
>> Verzonden: donderdag 19 januari 2017 21:14
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] net ads keytab add has no visible effects
>>
>> When I issue command 'net ads keytab add HTTP' I got a message
>> 'Processing principals to add...' but nothing else happens - no change
>> in keytab, net ads keytab list output, no errors in log etc.
>>
>> [Global]
>> netbios name = HOSTNAME
>> workgroup = DOMAIN
>> realm = DOMAIN
>> server string = %h Gentoo DT
>> security = ads
>> auth methods = sam winbind
>> encrypt passwords = yes
>> kerberos method = system keytab
>>
>> preferred master = no
>> dns proxy = no
>> wins support = no
>>
>> inherit acls = Yes
>> map acl inherit = Yes
>> acl group control = yes
>>
>> load printers = no
>> debug level = 3
>> use sendfile = no
>>
>> log level = 10
>>
>> strict allocate = yes
>>
>> acl allow execute always = True
>> username map = /etc/samba/usermap.txt
>>
>>
>> [libdefaults]
>> default_realm = DOMAIN
>> clockskew = 300
>> ticket_lifetime = 3d
>> renew_lifetime = 7d
>> forwardable = true
>> proxiable = true
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>>
>> [realms]
>> DOMAIN = {
>> default_domain = DOMAIN
>> auth_to_local =
>> RULE:[1:$1@$0](^.*@DOMAIN$)s/@DOMAIN/@domain/
>> }
>>
>> [domain_realm]
>> .kerberos.server = DOMAIN
>> .domain = DOMAIN
>> domain = DOMAIN
>>
>> [appdefaults]
>> pam = {
>> ticket_lifetime = 1d
>> renew_lifetime = 1d
>> forwardable = true
>> proxiable = false
>> retain_after_close = false
>> minimum_uid = 0
>> debug = false
>> }
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> Any idea what may be wrong?
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list