[Samba] Principal is a computer account - why
rpenny at samba.org
Wed Sep 1 09:38:00 UTC 2021
On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba wrote:
> Hello dear list,
> I have running a samba instance, users can access the share.
> On the Client (name: computer01), the share is connected via
> net use x: \\samba01\share01
> But often I see in the log
> "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
> But this is a computer account and not known on the server.
> Does anybody have any clue why there are such requests are coming
> the client?
No, because posting parts of a log without the context doesn't help.
> Here the config:
> Samba version is "4.6.16" - I know, it is an "ancient" version, but
> it's the version from the current Enterprise-Server SLES12 from SuSE
> # prim. Server Config
> server string = samba01
> server min protocol = SMB2
> ntlm auth = no
> lanman auth = no
> map to guest = Bad User
> deadtime = 600
> os level = 1
> # Active Directory Config
> security = ADS
> realm = ADDOMAIN.NET
> workgroup = ADDOMAIN
> encrypt passwords = yes
> password server = *
> kerberos encryption types = strong
> kerberos method = dedicated keytab
> dedicated keytab file = /etc/krb5.keytab
> allow trusted domains = No
> # local smb client condig
> client signing = auto
> client use spnego = yes
> client lanman auth = no
> client NTLMv2 auth = no
> client schannel = yes
> # Windbindd
> winbind separator = /
> winbind cache time = 600
> idmap config * : backend = tdb
> idmap config * : range = 10000-20000
Is sssd installed ? I would expect 'idmap config ADDOMAIN' lines.
More information about the samba