Web lists-archives.com

[Samba] Key table name malformed




Hi,

We are having an issue, trying to install a domain member server.

I'm following the samba wiki:
- samba 4.6.1
- krb5.conf as recommended on wiki
- time synced
- kinit works
- dns works (DCs in resolv.conf)
- setup a basic smb.conf (pasted at the end of this email)
- edit nsswitch.conf to include winbind for passwd/group
and then finally "net ads join -U administrator -d5" fails with:

...
...(snipped)
...
Host account for PROCESSING does not have service principal names.
Retrieving the servicePrincipalNames failed.
getaddrinfo: No address associated with hostname
ads_domain_func_level: 2
ads_domain_func_level: 2
kerberos_secrets_store_des_salt: Storing salt "host/processing.SAMBA.COMPANY.COM@xxxxxxxxxxxxxxxxx"
check lock order 1 for /var/lib/samba/private/secrets.tdb
release lock order 1 for /var/lib/samba/private/secrets.tdb
smb_krb5_kt_open failed (Key table name malformed)
ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'WRKGRP'
            dns_domain_name          : 'SAMBA.COMPANY.COM'
            forest_name              : 'SAMBA.COMPANY.COM'
            dn                       : 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com'
            domain_sid               : *
                domain_sid               : S-1-5-21-92843450-981953634-869174549
            modified_config          : 0x00 (0)
            error_string             : 'failed to create kerberos keytab'
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)
            result                   : WERR_GEN_FAILURE
Failed to join domain: failed to create kerberos keytab
return code = -1

The file /etc/krb5.keytab is NOT created. (I thought it should be created automatically on AD join)

When I ignore that and simply start winbind, the effect is that "wbinfo -u", "wbinfo -g", "id username" all work.

However: "getent passwd" does NOT work correctly:

user1:*:22185:513::/home/WRKGRP/user1:/bin/false
user2:*:29969:513::/home/WRKGRP/user2:/bin/false

The uid/gid IS taken from AD, but homedirectory and shell are NOT the ones defined in AD. (making it look like the old samba 4.1 situation, where winbind took uid/gid from AD, but shell / homedirectory were from a template)

I will paste the smb.conf below. For the rest: our AD appears to be working correctly...

The smb.conf of the domain member server:
root@processing:/etc/samba# cat smb.conf
[global]

netbios name = processing
workgroup = WRKGRP
security = ADS
realm = SAMBA.COMPANY.COM

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

idmap config *:backend = tdb
idmap config *:range = 1000000-1000999
idmap config WRKGRP:backend = ad
idmap config WRKGRP:schema_mode = rfc2307
idmap config WRKGRP:range = 500-999999

winbind nss info = rfc2307

I have NO idea where to look... Suggestions?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba