Web lists-archives.com

Re: [Samba] Key table name malformed




Hoi Louis,

The thing is that the keytab is not generated! That is the issue at hand. The join appears to have succeeded:

root@processing:~#  net ads testjoin
Join is OK
root@processing:~#

However no keytab is generated during join, despite having in the domain member smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

And the reason why it's not generated:

smb_krb5_kt_open failed (Key table name malformed)
ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'WRKGRP'
            dns_domain_name          : 'SAMBA.COMPANY.COM'
            forest_name              : 'SAMBA.COMPANY.COM'
            dn                       : 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com'
            domain_sid               : *
                domain_sid               : S-1-5-21-92843450-981953634-869174549
            modified_config          : 0x00 (0)
            error_string             : 'failed to create kerberos keytab'
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)
            result                   : WERR_GEN_FAILURE
Failed to join domain: failed to create kerberos keytab
return code = -1

More inline:

On 04/05/2017 09:25 AM, L.P.H. van Belle via samba wrote:
This looks all good.
Only one thing in the config, you can remove :
winbind nss info = rfc2307
Yes, this remained from before I discovered the 4.6.x option
 "idmap config WRKGRP:unix_nss_info = yes"

Can you check the content of the keytab? klist -ke /etc/krb5.keytab
post ( if needed anonymized ) the content you see.
There is no keytab! :-(

And did you by accident run : net ads join , multiple times on this server?
Yes, but the first time exactly this occured already. I tried a few times again. I even tried a complete fresh installation.


Looks to me there is something with net ads keytab going on.
Yes, exactly. It's not there, and it's not created.

Anyway ideas why that could be?

The error seems pretty low-level and frightening:

smb_krb5_kt_open failed (Key table name malformed)

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba