Hi! I think I ran into the same Problem. What I tried so far: 1) * Adopt SPNs on the DC with samba-tool spn * Create keytab on Member with net ads keytab create * Result: ** klist and net ads keytab list on Member match ** samba-tool spn list on DC doesn't 2) * Clear SPNs from Member via net ads keytab flush * Result: ** net ads keytab list on Member is empty ** samba-tool spn list on DC is empty too 3) * Create SPNs from Member via net ads keytab add * Create keytab on Member with net ads keytab create * Result: ** keytab and net ads list are matching on Member ** samba-tool spn list on DC is empty 4) ? Solution ? * Flush SPNs from Member (net ads keytab flush) * Adopt SPNs on DC (samba-tool spn) * Create Keytab on member (net ads keytab create) * Result: ** keytab, net ads list and samba-tool spn list are matching Versions: DC: samba 4.5.4 on Arch Linux Member: samba 4.4.8 on FreeBSD Is there any incompatibility, am I doing something wrong or is this a bug? Regards, Max> Hai, > > You can do the following. > > Login on the DC as root. > Kinit Administrator > > samba-tool spn add HTTP/hostname.your.domain.tld HOSTNAME$ > (optional if needed: samba-tool spn add HTTP/hostname HOSTNAME$ ) > > Now on the member. > mv /etc/krb5.keytab /etc/krb5.keytab.backup > > net ads keytab create -Uadministrator > if that does not work, this is a bit dirty but it works also. > net ads join -Uadministrator > And yes a "re-join again", strange but it gives a different keytab, > it does not change anything in the currect setup/settings. > But i does recreate you keytab file. > > > And check the keytab again for the new entries. > klist -ke /etc/krb5.keytab > > Restart samba/winbind > > This works fine for me. ( samba 4.5.3 ) > > And this is a must have in you smb.conf > > # renew the kerberos ticket > winbind refresh tickets = yes > > > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens MaciejPiechotka>> via samba >> Verzonden: donderdag 19 januari 2017 21:14 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] net ads keytab add has no visible effects >> >> When I issue command 'net ads keytab add HTTP' I got a message >> 'Processing principals to add...' but nothing else happens - no change >> in keytab, net ads keytab list output, no errors in log etc. >> >> [Global] >> netbios name = HOSTNAME >> workgroup = DOMAIN >> realm = DOMAIN >> server string = %h Gentoo DT >> security = ads >> auth methods = sam winbind >> encrypt passwords = yes >> kerberos method = system keytab >> >> preferred master = no >> dns proxy = no >> wins support = no >> >> inherit acls = Yes >> map acl inherit = Yes >> acl group control = yes >> >> load printers = no >> debug level = 3 >> use sendfile = no >> >> log level = 10 >> >> strict allocate = yes >> >> acl allow execute always = True >> username map = /etc/samba/usermap.txt >> >> >> [libdefaults] >> default_realm = DOMAIN >> clockskew = 300 >> ticket_lifetime = 3d >> renew_lifetime = 7d >> forwardable = true >> proxiable = true >> dns_lookup_realm = true >> dns_lookup_kdc = true >> >> [realms] >> DOMAIN = { >> default_domain = DOMAIN >> auth_to_local >> RULE:[1:$1@$0](^.*@DOMAIN$)s/@DOMAIN/@domain/ >> } >> >> [domain_realm] >> .kerberos.server = DOMAIN >> .domain = DOMAIN >> domain = DOMAIN >> >> [appdefaults] >> pam = { >> ticket_lifetime = 1d >> renew_lifetime = 1d >> forwardable = true >> proxiable = false >> retain_after_close = false >> minimum_uid = 0 >> debug = false >> } >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> Any idea what may be wrong? >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
On Sun, 26 Feb 2017 01:52:46 +0100 Max Ober via samba <samba at lists.samba.org> wrote:> Hi! > > I think I ran into the same Problem. >Can you post the smb.conf from the Unix Domain Member, plus what you get in the keytab and what you expect. Rowland
On Sun, 26 Feb 2017 13:16:58 +0100 Maximilian Ober <n0942544 at students.meduniwien.ac.at> wrote:> > 1) Keytab after adding spn on DC with samba-tool > [locadm at dc ~]$ sudo samba-tool spn add NFS/member.ad-domain.mober.at > member$ $ sudo net ads keytab create -k -U Administrator > $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab:> 2 des-cbc-crc nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT > 2 des-cbc-md5 nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT > 2 aes128-cts-hmac-sha1-96 nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT > 2 des-cbc-crc nfs/MEMBER at AD-DOMAIN.MOBER.AT > 2 des-cbc-md5 nfs/MEMBER at AD-DOMAIN.MOBER.AT > 2 aes128-cts-hmac-sha1-96 nfs/MEMBER at AD-DOMAIN.MOBER.AT > 2 aes256-cts-hmac-sha1-96 nfs/MEMBER at AD-DOMAIN.MOBER.AT > 2 arcfour-hmac-md5 nfs/MEMBER at AD-DOMAIN.MOBER.AT > 2 arcfour-hmac-md5 nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT > 2 aes256-cts-hmac-sha1-96 nfs/member.ad-domain.mober.at at AD-DOMAIN.MOBER.AT> > Okay ... looks like this time it worked as expected in the first try.You sure about that ? You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown with 'nfs'. This could just be down to using 'net to create the keytab, try 'samba-tool domain exportkeytab /etc/krb5.keytab' instead> To try something: > > 2) Adding an SPN on Member with net ads keytab > $ sudo net ads keytab add nfs/nas.site-a.mober.at at AD-DOMAIN.MOBER.AT > -U Administrator $ sudo net ads keytab create -k -U Administrator > $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab: >> And there seems something missing again.Not sure there is anything missing, you first use 'net' to add an SPN and everything seems okay, you then use samba-tool to list the SPNs for the Unix domain member. Perhaps if you ran 'samba-tool spn list --help' and read the second line, which says this: List spns of a given user. It might give you a hint ;-) A computer account in AD is also a user I am fairly sure if you were to examine the computers object in AD, you will not find the SPN 'nfs/nas.site-a.mober.at at AD-DOMAIN.MOBER.AT' Rowland
> > Okay ... looks like this time it worked as expected in the first try. > > You sure about that ? > You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown > with 'nfs'. > This could just be down to using 'net to create the keytab, try > 'samba-tool domain exportkeytab /etc/krb5.keytab' insteadSince AD comes from the Win-World I thought SPNs might not be case-sensitive and this shouldn't be a problem.> > And there seems something missing again. > > Not sure there is anything missing, you first use 'net' to add an SPN > and everything seems okay, you then use samba-tool to list the SPNs for > the Unix domain member. Perhaps if you ran 'samba-tool spn list > --help' and read the second line, which says this: > > List spns of a given user. > > It might give you a hint ;-) > > A computer account in AD is also a user > > I am fairly sure if you were to examine the computers object in AD, you > will not find the SPN 'nfs/nas.site-a.mober.at at AD-DOMAIN.MOBER.AT'Sorry, but I can't follow. I thought the user member$ represents the computer account of the machine member? And therefore samba-tool spn list member$ should list all SPNs of that computer? And I also thought "net ads" lets me do some stuff while working on the member that I otherwise would do with samba-tool on the dc. So for my understanding it should make no difference whether I use "net ads keytab add" on the member to add an spn or use "samba-tool spn add" on the dc to do the same thing? Both should end up adding an SPN to the computer account, what I should be able to check with samba-tool spn list? /Max