[Samba] Key table name malformed
- Date: Tue, 4 Apr 2017 16:55:22 +0200
- From: lists via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Key table name malformed
We are having an issue, trying to install a domain member server.
I'm following the samba wiki:
- samba 4.6.1
- krb5.conf as recommended on wiki
- time synced
- kinit works
- dns works (DCs in resolv.conf)
- setup a basic smb.conf (pasted at the end of this email)
- edit nsswitch.conf to include winbind for passwd/group
and then finally "net ads join -U administrator -d5" fails with:
Host account for PROCESSING does not have service principal names.
Retrieving the servicePrincipalNames failed.
getaddrinfo: No address associated with hostname
kerberos_secrets_store_des_salt: Storing salt "host/processing.SAMBA.COMPANY.COM@xxxxxxxxxxxxxxxxx"
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
smb_krb5_kt_open failed (Key table name malformed)
ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal.
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'WRKGRP'
dns_domain_name : 'SAMBA.COMPANY.COM'
forest_name : 'SAMBA.COMPANY.COM'
dn : 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com'
domain_sid : *
domain_sid : S-1-5-21-92843450-981953634-869174549
modified_config : 0x00 (0)
error_string : 'failed to create kerberos keytab'
domain_is_ad : 0x01 (1)
set_encryption_types : 0x00000000 (0)
result : WERR_GEN_FAILURE
Failed to join domain: failed to create kerberos keytab
return code = -1
The file /etc/krb5.keytab is NOT created. (I thought it should be
created automatically on AD join)
When I ignore that and simply start winbind, the effect is that "wbinfo
-u", "wbinfo -g", "id username" all work.
However: "getent passwd" does NOT work correctly:
The uid/gid IS taken from AD, but homedirectory and shell are NOT the
ones defined in AD. (making it look like the old samba 4.1 situation,
where winbind took uid/gid from AD, but shell / homedirectory were from
I will paste the smb.conf below. For the rest: our AD appears to be
The smb.conf of the domain member server:
root@processing:/etc/samba# cat smb.conf
netbios name = processing
workgroup = WRKGRP
security = ADS
realm = SAMBA.COMPANY.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config *:backend = tdb
idmap config *:range = 1000000-1000999
idmap config WRKGRP:backend = ad
idmap config WRKGRP:schema_mode = rfc2307
idmap config WRKGRP:range = 500-999999
winbind nss info = rfc2307
I have NO idea where to look... Suggestions?
To unsubscribe from this list go to the following URL and read the