[Samba] Principal is a computer account - why

Meike Stone meike.stone at googlemail.com
Wed Sep 1 12:40:42 UTC 2021 

Am Mi., 1. Sept. 2021 um 11:38 Uhr schrieb Rowland Penny via samba
<samba at lists.samba.org>:
>
> On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba wrote:
> > Hello dear list,
> >
> > I have running a samba instance, users can access the share.
> > On the Client (name: computer01), the share is connected via
> > net use x: \\samba01\share01
> >
> > But often I see in the log
> > "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
> > But this is a computer account and not known on the server.
> >
> > Does anybody have any clue why there are such requests are coming
> > from
> > the client?
>
> No, because posting parts of a log without the context doesn't help.
Which context is needed?
The Client is a Windows 10 Client.
I turned logging for all to "9",
Can you please guide me, what class and what level?

Here a few lines around ...
[2021/08/31 14:15:45.713335,  3]
../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
  Found account name from PAC: CLIENT01$ [CLIENT01$]
[2021/08/31 14:15:45.713357,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [CLIENT01$@ADDOMAIN.NET]
[2021/08/31 14:15:45.713375,  5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user ADDOMAIN/CLIENT01$
[2021/08/31 14:15:45.713387,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is addomain/client01$
[2021/08/31 14:15:45.713399,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [ADDOMAIN/CLIENT01$]!




>
> >
> > Here the config:
> > Samba version is "4.6.16" - I know, it is an "ancient" version, but
> > it's the version from the current Enterprise-Server SLES12 from SuSE
> >
> > [global]
> >
> >         # prim. Server Config
> >         server string            = samba01
> >         server min protocol      = SMB2
> >         ntlm auth                = no
> >         lanman auth              = no
> >         map to guest             = Bad User
> >         deadtime                 = 600
> >         os level                 = 1
> >
> >         # Active Directory Config
> >         security                  = ADS
> >         realm                     = ADDOMAIN.NET
> >         workgroup                 = ADDOMAIN
> >         encrypt passwords         = yes
> >         password server           = *
> >         kerberos encryption types = strong
> >         kerberos method           = dedicated keytab
> >         dedicated keytab file     = /etc/krb5.keytab
> >         allow trusted domains     = No
> >
> >         # local smb client condig
> >         client signing      = auto
> >         client use spnego   = yes
> >         client lanman auth  = no
> >         client NTLMv2 auth  = no
> >         client schannel     = yes
> >
> >         # Windbindd
> >         winbind separator          = /
> >         winbind cache time         = 600
> >         idmap config * : backend   = tdb
> >         idmap config * : range     = 10000-20000
>
> Is sssd installed ? I would expect 'idmap config ADDOMAIN' lines.
I use winbindd and in /etc/nsswitch.conf the two lines

passwd: files winbind
group:  files winbind

More information about the samba mailing list