[Samba] Principal is a computer account - why

Rowland Penny rpenny at samba.org
Wed Sep 1 12:57:37 UTC 2021 

On Wed, 2021-09-01 at 14:40 +0200, Meike Stone via samba wrote:
> Am Mi., 1. Sept. 2021 um 11:38 Uhr schrieb Rowland Penny via samba
> <samba at lists.samba.org>:
> > On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba wrote:
> > > Hello dear list,
> > > 
> > > I have running a samba instance, users can access the share.
> > > On the Client (name: computer01), the share is connected via
> > > net use x: \\samba01\share01
> > > 
> > > But often I see in the log
> > > "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
> > > But this is a computer account and not known on the server.
> > > 
> > > Does anybody have any clue why there are such requests are coming
> > > from
> > > the client?
> > 
> > No, because posting parts of a log without the context doesn't
> > help.
> Which context is needed?
> The Client is a Windows 10 Client.
> I turned logging for all to "9",
> Can you please guide me, what class and what level?
> 
> Here a few lines around ...
> [2021/08/31 14:15:45.713335,  3]
> ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
>   Found account name from PAC: CLIENT01$ [CLIENT01$]
> [2021/08/31 14:15:45.713357,  3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>   Kerberos ticket principal name is [CLIENT01$@ADDOMAIN.NET]
> [2021/08/31 14:15:45.713375,  5]
> ../source3/lib/username.c:181(Get_Pwnam_alloc)
>   Finding user ADDOMAIN/CLIENT01$
> [2021/08/31 14:15:45.713387,  5]
> ../source3/lib/username.c:120(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is addomain/client01$
> [2021/08/31 14:15:45.713399,  5]
> ../source3/lib/username.c:159(Get_Pwnam_internals)
>   Get_Pwnam_internals did find user [ADDOMAIN/CLIENT01$]!

That helps.
You have a computer on your network that has the hostname 'client01'
and the logs are just documenting that. I hope you realise that a
computer is just a user with an extra objectclass.

> > > 
> > Is sssd installed ? I would expect 'idmap config ADDOMAIN' lines.
> I use winbindd and in /etc/nsswitch.conf the two lines
> 
> passwd: files winbind
> group:  files winbind

If you are using winbind, then your smb.conf is borked.
I would expect lines like these:

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config ADDOMAIN : backend = rid
        idmap config ADDOMAIN : range = 10000-20000

However, if you change it now, it is likely that there will be some ID
changes.

Rowland

More information about the samba mailing list