thr3ads.net - samba - [Samba] net ads keytab add has no visible effects [Jan 2017]

If this information is useful, please help other people find it:
Share via:

Maciej Piechotka

2017-Jan-19 20:14 UTC

[Samba] net ads keytab add has no visible effects

When I issue command 'net ads keytab add HTTP' I got a message
'Processing principals to add...' but nothing else happens - no change
in keytab, net ads keytab list output, no errors in log etc.

[Global]
  netbios name = HOSTNAME
  workgroup = DOMAIN
  realm = DOMAIN
  server string = %h Gentoo DT
  security = ads
  auth methods = sam winbind
  encrypt passwords = yes
  kerberos method = system keytab

  preferred master = no
  dns proxy = no
  wins support = no

  inherit acls = Yes
  map acl inherit = Yes
  acl group control = yes

  load printers = no
  debug level = 3
  use sendfile = no

  log level = 10

  strict allocate = yes

  acl allow execute always = True
  username map = /etc/samba/usermap.txt


[libdefaults]
        default_realm   =       DOMAIN
        clockskew       =       300
        ticket_lifetime =       3d
        renew_lifetime  =       7d
        forwardable     =       true
        proxiable       =       true
        dns_lookup_realm =      true
        dns_lookup_kdc  =       true

[realms]
        DOMAIN = {
                default_domain = DOMAIN
                auth_to_local = RULE:[1:$1@$0](^.*@DOMAIN$)s/@DOMAIN/@domain/
        }

[domain_realm]
        .kerberos.server = DOMAIN
        .domain = DOMAIN
        domain = DOMAIN

[appdefaults]
        pam = {
        ticket_lifetime         = 1d
        renew_lifetime          = 1d
        forwardable             = true
        proxiable               = false
        retain_after_close      = false
        minimum_uid             = 0
        debug                   = false
        }

[logging]
        default                 = FILE:/var/log/krb5libs.log
        kdc                     = FILE:/var/log/kdc.log
        admin_server            = FILE:/var/log/kadmind.log

Any idea what may be wrong?

L.P.H. van Belle

2017-Jan-20 08:37 UTC

head link

[Samba] net ads keytab add has no visible effects

Hai, 

You can do the following. 

Login on the DC as root. 
Kinit Administrator

samba-tool spn add HTTP/hostname.your.domain.tld HOSTNAME$
(optional if needed: samba-tool spn add HTTP/hostname HOSTNAME$ )

Now on the member. 
mv /etc/krb5.keytab /etc/krb5.keytab.backup

net ads keytab create -Uadministrator
if that does not work, this is a bit dirty but it works also. 
net ads join -Uadministrator
And yes a "re-join again", strange but it gives a different keytab, 
it does not change anything in the currect setup/settings. 
But i does recreate you keytab file.


And check the keytab again for the new entries.
klist -ke /etc/krb5.keytab 

Restart samba/winbind

This works fine for me. ( samba 4.5.3 ) 

And this is a must have in you smb.conf

    # renew the kerberos ticket
    winbind refresh tickets = yes




Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Maciej
Piechotka
> via samba
> Verzonden: donderdag 19 januari 2017 21:14
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] net ads keytab add has no visible effects
> 
> When I issue command 'net ads keytab add HTTP' I got a message
> 'Processing principals to add...' but nothing else happens - no
change
> in keytab, net ads keytab list output, no errors in log etc.
> 
> [Global]
>   netbios name = HOSTNAME
>   workgroup = DOMAIN
>   realm = DOMAIN
>   server string = %h Gentoo DT
>   security = ads
>   auth methods = sam winbind
>   encrypt passwords = yes
>   kerberos method = system keytab
> 
>   preferred master = no
>   dns proxy = no
>   wins support = no
> 
>   inherit acls = Yes
>   map acl inherit = Yes
>   acl group control = yes
> 
>   load printers = no
>   debug level = 3
>   use sendfile = no
> 
>   log level = 10
> 
>   strict allocate = yes
> 
>   acl allow execute always = True
>   username map = /etc/samba/usermap.txt
> 
> 
> [libdefaults]
>         default_realm   =       DOMAIN
>         clockskew       =       300
>         ticket_lifetime =       3d
>         renew_lifetime  =       7d
>         forwardable     =       true
>         proxiable       =       true
>         dns_lookup_realm =      true
>         dns_lookup_kdc  =       true
> 
> [realms]
>         DOMAIN = {
>                 default_domain = DOMAIN
>                 auth_to_local >
RULE:[1:$1@$0](^.*@DOMAIN$)s/@DOMAIN/@domain/
>         }
> 
> [domain_realm]
>         .kerberos.server = DOMAIN
>         .domain = DOMAIN
>         domain = DOMAIN
> 
> [appdefaults]
>         pam = {
>         ticket_lifetime         = 1d
>         renew_lifetime          = 1d
>         forwardable             = true
>         proxiable               = false
>         retain_after_close      = false
>         minimum_uid             = 0
>         debug                   = false
>         }
> 
> [logging]
>         default                 = FILE:/var/log/krb5libs.log
>         kdc                     = FILE:/var/log/kdc.log
>         admin_server            = FILE:/var/log/kadmind.log
> 
> Any idea what may be wrong?
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Seemingly Similar Threads

Search for more possibly parallel threads

samba - Jan 2017 - net ads keytab add has no visible effects

[Samba] net ads keytab add has no visible effects

[Samba] net ads keytab add has no visible effects

Seemingly Similar Threads