[Samba] Principal is a computer account - why
Meike Stone
meike.stone at googlemail.com
Wed Sep 1 12:40:42 UTC 2021
Am Mi., 1. Sept. 2021 um 11:38 Uhr schrieb Rowland Penny via samba
<samba at lists.samba.org>:
>
> On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba wrote:
> > Hello dear list,
> >
> > I have running a samba instance, users can access the share.
> > On the Client (name: computer01), the share is connected via
> > net use x: \\samba01\share01
> >
> > But often I see in the log
> > "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
> > But this is a computer account and not known on the server.
> >
> > Does anybody have any clue why there are such requests are coming
> > from
> > the client?
>
> No, because posting parts of a log without the context doesn't help.
Which context is needed?
The Client is a Windows 10 Client.
I turned logging for all to "9",
Can you please guide me, what class and what level?
Here a few lines around ...
[2021/08/31 14:15:45.713335, 3]
../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
Found account name from PAC: CLIENT01$ [CLIENT01$]
[2021/08/31 14:15:45.713357, 3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [CLIENT01$@ADDOMAIN.NET]
[2021/08/31 14:15:45.713375, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user ADDOMAIN/CLIENT01$
[2021/08/31 14:15:45.713387, 5]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is addomain/client01$
[2021/08/31 14:15:45.713399, 5]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals did find user [ADDOMAIN/CLIENT01$]!
>
> >
> > Here the config:
> > Samba version is "4.6.16" - I know, it is an "ancient" version, but
> > it's the version from the current Enterprise-Server SLES12 from SuSE
> >
> > [global]
> >
> > # prim. Server Config
> > server string = samba01
> > server min protocol = SMB2
> > ntlm auth = no
> > lanman auth = no
> > map to guest = Bad User
> > deadtime = 600
> > os level = 1
> >
> > # Active Directory Config
> > security = ADS
> > realm = ADDOMAIN.NET
> > workgroup = ADDOMAIN
> > encrypt passwords = yes
> > password server = *
> > kerberos encryption types = strong
> > kerberos method = dedicated keytab
> > dedicated keytab file = /etc/krb5.keytab
> > allow trusted domains = No
> >
> > # local smb client condig
> > client signing = auto
> > client use spnego = yes
> > client lanman auth = no
> > client NTLMv2 auth = no
> > client schannel = yes
> >
> > # Windbindd
> > winbind separator = /
> > winbind cache time = 600
> > idmap config * : backend = tdb
> > idmap config * : range = 10000-20000
>
> Is sssd installed ? I would expect 'idmap config ADDOMAIN' lines.
I use winbindd and in /etc/nsswitch.conf the two lines
passwd: files winbind
group: files winbind
More information about the samba
mailing list