Hai Mourik-Jan, This looks all good. Only one thing in the config, you can remove : winbind nss info = rfc2307 Since your alread set ( for 4.6.x) : idmap config INTECH:unix_nss_info = yes Can you check the content of the keytab? klist -ke /etc/krb5.keytab post ( if needed anonymized ) the content you see. run : net ads keytab list -UAdministrator And did you by accident run : net ads join , multiple times on this server? About the realm in caps or not, to my believe that no problem in samba. But to be sure, i would recommends everything in caps. Looks to me there is something with net ads keytab going on. I'll go test a bit more here also. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba > Verzonden: woensdag 5 april 2017 8:30 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Key table name malformed > > Hi Louis, > > On 04/05/2017 07:51 AM, L.P.H. van Belle via samba wrote: > > Yes, post the complete smb.conf.. when what os your running. > > Then we can have a look better whats going on. > > > > Greetz, > > > > Louis > > Here is the smb.conf for the debian 8.7 domain member server running > samba 4.6.1: > > root at processing:~# cd /etc/samba/ > > root at processing:/etc/samba# cat smb.conf > > [global] > > > > netbios name = processing > > workgroup = WKRGRP > > security = ADS > > realm = SAMBA.COMPANY.COM > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > > > idmap config *:backend = tdb > > idmap config *:range = 1000000-1000999 > > idmap config INTECH:backend = ad > > idmap config INTECH:schema_mode = rfc2307 > > idmap config INTECH:range = 500-999999 > > idmap config INTECH:unix_nss_info = yes > > > > winbind nss info = rfc2307 > > > > log level = 3 > > Here is smb.conf for the DC2, running samba 4.5.6 on debian 7.11: > > root at DC2:~# cat /etc/samba/smb.conf > > # Global parameters > > [global] > > workgroup = WKRGRP > > realm = samba.company.com > > netbios name = DC2 > > server role = active directory domain controller > > dns forwarder = 192.65.132.5 > > allow dns updates = nonsecure > > > > server signing = mandatory > > ntlm auth = yes > > ldap server require strong auth = no > > printing = bsd > > log level = 3 > > idmap_ldb:use rfc2307 = yes > > > > > > [netlogon] > > path = /var/lib/samba/sysvol/samba.company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > acl_xattr:ignore system acls = yes > > This domain seems to be mostly running fine for some years, ever since > samba 4.1.16 or so. > > I realise that my realm on the DC is written in lower case. However > testparm shows it uppercase, and everyting has always been running good, > that why I was afraid to change it to capitals. It's lower case ONLY in > the smb.conf on the three the DCs. Everywhere else in caps. > > Ideas? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hoi Louis, The thing is that the keytab is not generated! That is the issue at hand. The join appears to have succeeded:> root at processing:~# net ads testjoin > Join is OK > root at processing:~#However no keytab is generated during join, despite having in the domain member smb.conf:> dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytabAnd the reason why it's not generated:> smb_krb5_kt_open failed (Key table name malformed) > ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal. > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'WRKGRP' > dns_domain_name : 'SAMBA.COMPANY.COM' > forest_name : 'SAMBA.COMPANY.COM' > dn : 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com' > domain_sid : * > domain_sid : S-1-5-21-92843450-981953634-869174549 > modified_config : 0x00 (0) > error_string : 'failed to create kerberos keytab' > domain_is_ad : 0x01 (1) > set_encryption_types : 0x00000000 (0) > result : WERR_GEN_FAILURE > Failed to join domain: failed to create kerberos keytab > return code = -1More inline: On 04/05/2017 09:25 AM, L.P.H. van Belle via samba wrote:> This looks all good. > Only one thing in the config, you can remove : > winbind nss info = rfc2307Yes, this remained from before I discovered the 4.6.x option "idmap config WRKGRP:unix_nss_info = yes"> Can you check the content of the keytab? klist -ke /etc/krb5.keytab > post ( if needed anonymized ) the content you see.There is no keytab! :-(> And did you by accident run : net ads join , multiple times on this server?Yes, but the first time exactly this occured already. I tried a few times again. I even tried a complete fresh installation.> Looks to me there is something with net ads keytab going on.Yes, exactly. It's not there, and it's not created. Anyway ideas why that could be? The error seems pretty low-level and frightening: smb_krb5_kt_open failed (Key table name malformed) MJ
Hm strange, i dont see it. Can you upgrade to 4.6.2? see if that helps. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba > Verzonden: woensdag 5 april 2017 9:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Key table name malformed > > Hoi Louis, > > The thing is that the keytab is not generated! That is the issue at > hand. The join appears to have succeeded: > > > root at processing:~# net ads testjoin > > Join is OK > > root at processing:~# > > However no keytab is generated during join, despite having in the domain > member smb.conf: > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > And the reason why it's not generated: > > > smb_krb5_kt_open failed (Key table name malformed) > > ads_keytab_add_entry failed while adding 'HOST/PROCESSING' principal. > > libnet_Join: > > libnet_JoinCtx: struct libnet_JoinCtx > > out: struct libnet_JoinCtx > > account_name : NULL > > netbios_domain_name : 'WRKGRP' > > dns_domain_name : 'SAMBA.COMPANY.COM' > > forest_name : 'SAMBA.COMPANY.COM' > > dn : > 'CN=PROCESSING,CN=Computers,DC=samba,DC=company,DC=com' > > domain_sid : * > > domain_sid : S-1-5-21-92843450-981953634- > 869174549 > > modified_config : 0x00 (0) > > error_string : 'failed to create kerberos > keytab' > > domain_is_ad : 0x01 (1) > > set_encryption_types : 0x00000000 (0) > > result : WERR_GEN_FAILURE > > Failed to join domain: failed to create kerberos keytab > > return code = -1 > > More inline: > > On 04/05/2017 09:25 AM, L.P.H. van Belle via samba wrote: > > This looks all good. > > Only one thing in the config, you can remove : > > winbind nss info = rfc2307 > Yes, this remained from before I discovered the 4.6.x option > "idmap config WRKGRP:unix_nss_info = yes" > > > Can you check the content of the keytab? klist -ke /etc/krb5.keytab > > post ( if needed anonymized ) the content you see. > There is no keytab! :-( > > > And did you by accident run : net ads join , multiple times on this > server? > Yes, but the first time exactly this occured already. I tried a few > times again. I even tried a complete fresh installation. > > > > Looks to me there is something with net ads keytab going on. > Yes, exactly. It's not there, and it's not created. > > Anyway ideas why that could be? > > The error seems pretty low-level and frightening: > > smb_krb5_kt_open failed (Key table name malformed) > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi all, I have just tried with a fresh install and samba 4.5.7 on the domain member server: and it worked! The domain join succeeded, and krb5.keytab IS created. So what is going on here? MJ
MJ, I put some extra info on this for the list. This is a new Debian Jessie install with sernet samba packages. The Keytab file is not created with sernet 4.6.1 packages but it is with the sernet 4.5.7 samba packages. Bug list show some keytab reported but i dont see any related to this. https://bugzilla.samba.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&field0-0-0=product&field0-0-1=component&field0-0-2=alias&field0-0-3=short_desc&field0-0-4=status_whiteboard&field0-0-5=content&order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&query_based_on=&query_format=advanced&type0-0-0=substring&type0-0-1=substring&type0-0-2=substring&type0-0-3=substring&type0-0-4=substring&type0-0-5=matches&value0-0-0=keytab&value0-0-1=keytab&value0-0-2=keytab&value0-0-3=keytab&value0-0-4=keytab&value0-0-5=%22keytab%22 except this looks a bit like this problem. https://bugzilla.samba.org/show_bug.cgi?id=11701 So anyone any ideas for MJ. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba > Verzonden: woensdag 5 april 2017 10:49 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Key table name malformed > > Hi all, > > I have just tried with a fresh install and samba 4.5.7 on the domain > member server: and it worked! > > The domain join succeeded, and krb5.keytab IS created. > > So what is going on here? > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba