[Samba] Principal is a computer account - why

Meike Stone meike.stone at googlemail.com
Wed Sep 1 09:15:59 UTC 2021 

Hello dear list,

I have running a samba instance, users can access the share.
On the Client (name: computer01), the share is connected via
net use x: \\samba01\share01

But often I see in the log
"Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
But this is a computer account and not known on the server.

Does anybody have any clue why there are such requests are coming from
the client?

Here the config:
Samba version is "4.6.16" - I know, it is an "ancient" version, but
it's the version from the current Enterprise-Server SLES12 from SuSE

[global]

        # prim. Server Config
        server string            = samba01
        server min protocol      = SMB2
        ntlm auth                = no
        lanman auth              = no
        map to guest             = Bad User
        deadtime                 = 600
        os level                 = 1

        # Active Directory Config
        security                  = ADS
        realm                     = ADDOMAIN.NET
        workgroup                 = ADDOMAIN
        encrypt passwords         = yes
        password server           = *
        kerberos encryption types = strong
        kerberos method           = dedicated keytab
        dedicated keytab file     = /etc/krb5.keytab
        allow trusted domains     = No

        # local smb client condig
        client signing      = auto
        client use spnego   = yes
        client lanman auth  = no
        client NTLMv2 auth  = no
        client schannel     = yes

        # Windbindd
        winbind separator          = /
        winbind cache time         = 600
        idmap config * : backend   = tdb
        idmap config * : range     = 10000-20000
        winbind trusted domains only = no
        winbind use default domain = yes
        require strong key         = yes
        winbind enum users         = no
        winbind enum groups        = no
        winbind expand groups      = 0

        # Printspooler Config
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes

        # Logging Configuration
        log level = all:2
        include = /etc/samba/debug/smb.conf.priv.%U



# SHARECONFIG

[share01]
        comment = Client Share
        nt acl support = no
        path = /Data
        acl allow execute always = yes
        directory mask = 0775
        create mask = 0664
        browsable = no
        writable = yes
        public = no
        valid users = @"share01_users at ADDOMAIN.NET"
        force user = localuser
        force group = localgroup



Thanks for helping, Meike

More information about the samba mailing list