[Samba] Principal is a computer account - why
Rowland Penny
rpenny at samba.org
Wed Sep 1 12:57:37 UTC 2021
On Wed, 2021-09-01 at 14:40 +0200, Meike Stone via samba wrote:
> Am Mi., 1. Sept. 2021 um 11:38 Uhr schrieb Rowland Penny via samba
> <samba at lists.samba.org>:
> > On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba wrote:
> > > Hello dear list,
> > >
> > > I have running a samba instance, users can access the share.
> > > On the Client (name: computer01), the share is connected via
> > > net use x: \\samba01\share01
> > >
> > > But often I see in the log
> > > "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
> > > But this is a computer account and not known on the server.
> > >
> > > Does anybody have any clue why there are such requests are coming
> > > from
> > > the client?
> >
> > No, because posting parts of a log without the context doesn't
> > help.
> Which context is needed?
> The Client is a Windows 10 Client.
> I turned logging for all to "9",
> Can you please guide me, what class and what level?
>
> Here a few lines around ...
> [2021/08/31 14:15:45.713335, 3]
> ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
> Found account name from PAC: CLIENT01$ [CLIENT01$]
> [2021/08/31 14:15:45.713357, 3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [CLIENT01$@ADDOMAIN.NET]
> [2021/08/31 14:15:45.713375, 5]
> ../source3/lib/username.c:181(Get_Pwnam_alloc)
> Finding user ADDOMAIN/CLIENT01$
> [2021/08/31 14:15:45.713387, 5]
> ../source3/lib/username.c:120(Get_Pwnam_internals)
> Trying _Get_Pwnam(), username as lowercase is addomain/client01$
> [2021/08/31 14:15:45.713399, 5]
> ../source3/lib/username.c:159(Get_Pwnam_internals)
> Get_Pwnam_internals did find user [ADDOMAIN/CLIENT01$]!
That helps.
You have a computer on your network that has the hostname 'client01'
and the logs are just documenting that. I hope you realise that a
computer is just a user with an extra objectclass.
> > >
> > Is sssd installed ? I would expect 'idmap config ADDOMAIN' lines.
> I use winbindd and in /etc/nsswitch.conf the two lines
>
> passwd: files winbind
> group: files winbind
If you are using winbind, then your smb.conf is borked.
I would expect lines like these:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config ADDOMAIN : backend = rid
idmap config ADDOMAIN : range = 10000-20000
However, if you change it now, it is likely that there will be some ID
changes.
Rowland
More information about the samba
mailing list