[Samba] net ads keytab add has no visible effects

Fri Jan 20 08:37:08 UTC 2017

Hai, 

You can do the following. 

Login on the DC as root. 
Kinit Administrator

samba-tool spn add HTTP/hostname.your.domain.tld HOSTNAME$
(optional if needed: samba-tool spn add HTTP/hostname HOSTNAME$ )

Now on the member. 
mv /etc/krb5.keytab /etc/krb5.keytab.backup

net ads keytab create -Uadministrator
if that does not work, this is a bit dirty but it works also. 
net ads join -Uadministrator
And yes a "re-join again", strange but it gives a different keytab, 
it does not change anything in the currect setup/settings. 
But i does recreate you keytab file.

And check the keytab again for the new entries.
klist -ke /etc/krb5.keytab 

Restart samba/winbind

This works fine for me. ( samba 4.5.3 ) 

And this is a must have in you smb.conf

    # renew the kerberos ticket
    winbind refresh tickets = yes

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Maciej Piechotka
> via samba
> Verzonden: donderdag 19 januari 2017 21:14
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] net ads keytab add has no visible effects
> 
> When I issue command 'net ads keytab add HTTP' I got a message
> 'Processing principals to add...' but nothing else happens - no change
> in keytab, net ads keytab list output, no errors in log etc.
> 
> [Global]
>   netbios name = HOSTNAME
>   workgroup = DOMAIN
>   realm = DOMAIN
>   server string = %h Gentoo DT
>   security = ads
>   auth methods = sam winbind
>   encrypt passwords = yes
>   kerberos method = system keytab
> 
>   preferred master = no
>   dns proxy = no
>   wins support = no
> 
>   inherit acls = Yes
>   map acl inherit = Yes
>   acl group control = yes
> 
>   load printers = no
>   debug level = 3
>   use sendfile = no
> 
>   log level = 10
> 
>   strict allocate = yes
> 
>   acl allow execute always = True
>   username map = /etc/samba/usermap.txt
> 
> 
> [libdefaults]
>         default_realm   =       DOMAIN
>         clockskew       =       300
>         ticket_lifetime =       3d
>         renew_lifetime  =       7d
>         forwardable     =       true
>         proxiable       =       true
>         dns_lookup_realm =      true
>         dns_lookup_kdc  =       true
> 
> [realms]
>         DOMAIN = {
>                 default_domain = DOMAIN
>                 auth_to_local =
> RULE:[1:$1@$0](^.*@DOMAIN$)s/@DOMAIN/@domain/
>         }
> 
> [domain_realm]
>         .kerberos.server = DOMAIN
>         .domain = DOMAIN
>         domain = DOMAIN
> 
> [appdefaults]
>         pam = {
>         ticket_lifetime         = 1d
>         renew_lifetime          = 1d
>         forwardable             = true
>         proxiable               = false
>         retain_after_close      = false
>         minimum_uid             = 0
>         debug                   = false
>         }
> 
> [logging]
>         default                 = FILE:/var/log/krb5libs.log
>         kdc                     = FILE:/var/log/kdc.log
>         admin_server            = FILE:/var/log/kadmind.log
> 
> Any idea what may be wrong?
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba