[Samba] Opensolaris-ish joins but does not seem to be valid

Mike Ray mray at xes-inc.com
Mon Oct 9 23:04:45 UTC 2017

We have a product that is similar to Opensolaris. It joins to the domain (Samba
version 4.7.0) without error and I can verify that a computer object is created
in the domain for it.

However, the command "getent passwd" which I would expect to return a list of
all domain users, only returns a list of local users.

I am confident I do not have a misconfigured file because if I get a kerberos
ticket as the Administrator (i.e. kinit -UAdministrator) and then issue "getent
passwd", the list returns as I would expect.

The host is populated with a keytab after joining to the domain and it appears
to have good entries: "host/hostname.example.com at EXAMPLE.COM", etc. And when I
do a "klist" with no prior kinit, it says it says the default principal is
"host/hostname at EXAMPLE.COM" which is listed in the keytab.

Since I am on 4.7.0, I've also turned on the authentication auditing and I can
see the authentication attempt when I issue "getent passwd". But instead of
being host specific, it registers the user as [NT AUTHORITY]\[ANONYMOUS LOGON].

There is an additional setup we have to run for this host, setting up directory
based mappings for idmap to resolve UIDs
That command registers as the host authority in the DC logs, i.e.
"[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the process returns
as "sasl/GSSAPI bind" error. As above, if I do a kinit as Administrator
beforehand, the command succeeds successfully. 

It seems like something is wrong with the computer account, but it's not like I
can set the computer accounts password and manually trying kiniting as it. Any
suggestions about what might be wrong or how to further troubleshoot?

Mike Ray

More information about the samba mailing list