[Samba] Why is smbd looking for Kerberos principal cifs/host at DOMB when it is a member of DOMA?

Rowland penny rpenny at samba.org
Wed Nov 20 09:02:10 UTC 2019

On 20/11/2019 08:26, L.P.H. van Belle via samba wrote:
> Your config looks ok, as far i can tell.
> This :  "cifs/kvm7246-vm022.maas.local at TC84.LOCAL"
> As it should spn/hostname.fqdn at REALM nothing wrong with that.
> But if i understand it right.
> Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL  ( NTDOM:TC83 )

I have been looking at this thinking 'should I reply' and after that I 
think I must ;-)

The server with the FQDN of kvm7246-vm022.maas.local cannot be in the 
REALM TC84.LOCAL, it would have to be kvm7246-vm022.tc84.local

I think you have a configuration error somewhere, I would start with 
your smb.conf:

     kerberos method = secrets and keytab
     logging = systemd
     realm = TC83.LOCAL
     security = ADS
     template homedir = /home/%U@%D
     template shell = /bin/bash
     winbind offline logon = Yes
     winbind refresh tickets = Yes
     workgroup = TC83
     idmap config * : range = 1000000-19999999
     idmap config * : backend = autorid

     path = /srv/test
     valid users = "@tc83.local\domain users" "@tc84.local\domain users"

I wouldn't use 'valid users', but if you must it should be like this:

valid users = '@TC83\domain users' 'TC84\domain users'


More information about the samba mailing list