shacky
2018-May-11 15:40 UTC
[Samba] smb_krb5_open_keytab failed (Key table name malformed)
Hi. I joined a fileserver system with Samba version 4.5.12-Debian (fileserv) in an Active Directory domain managed by a Samba 4.6.7-Ubuntu installed on another system using "realm discover" and sssd. The Samba fileserver is correctly joined into the domain and I can correctly browse AD users: root at fileserv:/# getent passwd my.user my.user:*:1616401116:1616400513:Me:/home/domain.com/users/my.user:/bin/bash The keytab file is correctly created: root at fileserv:/# ls -l /etc/krb5.* -rw-r--r-- 1 root root 2794 May 11 17:32 /etc/krb5.conf -rw------- 1 root root 2208 May 11 16:18 /etc/krb5.keytab The problem is that I cannot browse my Samba server from a Windows 10 client joined in the same Active Directory domain with a valid user. When I try to access to \\fileserv from the Windows client I get these errors on the Samba server: ========== 8< =========May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.181182, 1] ../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab) May 11 17:10:30 fileserv smbd[3634]: ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key table name malformed) May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.183815, 1] ../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab) May 11 17:10:30 fileserv smbd[3634]: ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab - -1765328205 May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.184747, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) May 11 17:10:30 fileserv smbd[3634]: Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.189970, 1] ../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab) May 11 17:10:30 fileserv smbd[3634]: ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key table name malformed) May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.190017, 1] ../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab) May 11 17:10:30 fileserv smbd[3634]: ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab - -1765328205 May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.190045, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) May 11 17:10:30 fileserv smbd[3634]: Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193404, 1] ../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab) May 11 17:10:30 fileserv smbd[3634]: ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key table name malformed) May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193442, 1] ../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab) May 11 17:10:30 fileserv smbd[3634]: ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab - -1765328205 May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.193528, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) May 11 17:10:30 fileserv smbd[3634]: Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196100, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter) May 11 17:10:30 fileserv smbd[3634]: WARNING: The "syslog" option is deprecated May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196142, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter) May 11 17:10:30 fileserv smbd[3634]: WARNING: The "syslog only" option is deprecated May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196463, 2] ../source3/param/loadparm.c:2685(lp_do_section) May 11 17:10:30 fileserv smbd[3634]: Processing section "[users]" May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.196656, 2] ../source3/param/loadparm.c:2685(lp_do_section) May 11 17:10:30 fileserv smbd[3634]: Processing section "[homes]" May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.939713, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) May 11 17:10:30 fileserv smbd[3634]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO May 11 17:10:30 fileserv smbd[3634]: [2018/05/11 17:10:30.941271, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) May 11 17:10:30 fileserv smbd[3634]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.286683, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) May 11 17:10:31 fileserv smbd[3634]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.288762, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) May 11 17:10:31 fileserv smbd[3634]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.591901, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) May 11 17:10:31 fileserv smbd[3634]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.593663, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) May 11 17:10:31 fileserv smbd[3634]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595626, 0] ../source3/auth/auth_domain.c:184(domain_client_validate) May 11 17:10:31 fileserv smbd[3634]: domain_client_validate: Domain password server not available. May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595666, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) May 11 17:10:31 fileserv smbd[3634]: check_ntlm_password: Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS May 11 17:10:31 fileserv smbd[3634]: [2018/05/11 17:10:31.595697, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg) May 11 17:10:31 fileserv smbd[3634]: SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.610553, 1] ../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab) May 11 17:10:31 fileserv smbd[3635]: ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key table name malformed) May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.611895, 1] ../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab) May 11 17:10:31 fileserv smbd[3635]: ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab - -1765328205 May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.613109, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) May 11 17:10:31 fileserv smbd[3635]: Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615785, 1] ../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab) May 11 17:10:31 fileserv smbd[3635]: ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key table name malformed) May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615827, 1] ../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab) May 11 17:10:31 fileserv smbd[3635]: ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab - -1765328205 May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.615855, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) May 11 17:10:31 fileserv smbd[3635]: Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.619932, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter) May 11 17:10:31 fileserv smbd[3635]: WARNING: The "syslog" option is deprecated May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.619981, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter) May 11 17:10:31 fileserv smbd[3635]: WARNING: The "syslog only" option is deprecated May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.620318, 2] ../source3/param/loadparm.c:2685(lp_do_section) May 11 17:10:31 fileserv smbd[3635]: Processing section "[users]" May 11 17:10:31 fileserv smbd[3635]: [2018/05/11 17:10:31.620537, 2] ../source3/param/loadparm.c:2685(lp_do_section) May 11 17:10:31 fileserv smbd[3635]: Processing section "[homes]" May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.312237, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) May 11 17:10:32 fileserv smbd[3635]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.313774, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) May 11 17:10:32 fileserv smbd[3635]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.661837, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) May 11 17:10:32 fileserv smbd[3635]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.663374, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) May 11 17:10:32 fileserv smbd[3635]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.972733, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) May 11 17:10:32 fileserv smbd[3635]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.974661, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) May 11 17:10:32 fileserv smbd[3635]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.DOMAIN.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.976779, 0] ../source3/auth/auth_domain.c:184(domain_client_validate) May 11 17:10:32 fileserv smbd[3635]: domain_client_validate: Domain password server not available. May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.977536, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) May 11 17:10:32 fileserv smbd[3635]: check_ntlm_password: Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS May 11 17:10:32 fileserv smbd[3635]: [2018/05/11 17:10:32.977575, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg) May 11 17:10:32 fileserv smbd[3635]: SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.028424, 2] ../source3/smbd/reply.c:705(reply_special) May 11 17:10:34 fileserv smbd[3637]: netbios connect: name1=FILESERV 0x20 name2=WIN10-TEST 0x0 May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.030869, 2] ../source3/smbd/reply.c:746(reply_special) May 11 17:10:34 fileserv smbd[3637]: netbios connect: local=fileserv remote=win10-test, name type = 0 May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.036486, 1] ../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab) May 11 17:10:34 fileserv smbd[3637]: ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key table name malformed) May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.037810, 1] ../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab) May 11 17:10:34 fileserv smbd[3637]: ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab - -1765328205 May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.039122, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) May 11 17:10:34 fileserv smbd[3637]: Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041181, 1] ../source3/librpc/crypto/gse_krb5.c:542(fill_mem_keytab_from_dedicated_keytab) May 11 17:10:34 fileserv smbd[3637]: ../source3/librpc/crypto/gse_krb5.c:542: smb_krb5_open_keytab failed (Key table name malformed) May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041236, 1] ../source3/librpc/crypto/gse_krb5.c:635(gse_krb5_get_server_keytab) May 11 17:10:34 fileserv smbd[3637]: ../source3/librpc/crypto/gse_krb5.c:635: Error! Unable to set mem keytab - -1765328205 May 11 17:10:34 fileserv smbd[3637]: [2018/05/11 17:10:34.041264, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) May 11 17:10:34 fileserv smbd[3637]: Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR ========== 8< ========= This is my Samba server configuration: ========== 8< =========#======================= Global Settings ======================[global] workgroup = DOMAIN server string = File Server dns proxy = no log level = 3 syslog = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = no unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = yes aio read size = 16384 aio write size = 16384 local master = yes time server = no wins support = no password server = server-z1.domain.com realm = DOMAIN.COM dedicated keytab file = FILE:/etc/krb5.keytab kerberos method = dedicated keytab security = ads allow trusted domains = yes template shell = /bin/bash template homedir = /home/domain.com/users/%U # Performance improvements socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 client ntlmv2 auth = yes ========== 8< ========= Could you help me please? Thank you very much! Bye
Rowland Penny
2018-May-11 16:13 UTC
[Samba] smb_krb5_open_keytab failed (Key table name malformed)
On Fri, 11 May 2018 17:40:18 +0200 shacky via samba <samba at lists.samba.org> wrote:> Hi. > > I joined a fileserver system with Samba version 4.5.12-Debian > (fileserv) in an Active Directory domain managed by a Samba > 4.6.7-Ubuntu installed on another system using "realm discover" and > sssd. >> > This is my Samba server configuration: > > [global] > socket options = TCP_NODELAY IPTOS_LOWDELAY'socket options' appears twice, not bad for something you should leave to the kernel ;-)> password server = server-z1.domain.comYou should remove this and allow Samba to find the DC.> dedicated keytab file = FILE:/etc/krb5.keytabIt should be just '/etc/krb5.keytab', remove 'FILE:'> kerberos method = dedicated keytabI would suggest changing this to 'secrets and keytab' If these changes do not help, try asking on the sssd-users mailing list, neither sssd or realmd have anything to do with Samba. Rowland
shacky
2018-May-15 15:25 UTC
[Samba] smb_krb5_open_keytab failed (Key table name malformed)
Hi Rowland, 2018-05-11 18:13 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>: 'socket options' appears twice, not bad for something you should leave> to the kernel ;-) >You are right, thank you! :-)> You should remove this and allow Samba to find the DC. >Ok: password server = *> It should be just '/etc/krb5.keytab', remove 'FILE:' >Ok: dedicated keytab file = /etc/krb5.keytab I would suggest changing this to 'secrets and keytab'>Changed: kerberos method = secrets and keytab> If these changes do not help, try asking on the sssd-users mailing > list, neither sssd or realmd have anything to do with Samba. >Unfortunately, it does not work. Now i have these errors in syslog: May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.610956, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13001]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.617631, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13001]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652613, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 15 17:23:41 fileserv smbd[13001]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652658, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 15 17:23:41 fileserv smbd[13001]: smb_pam_error_handler: PAM: Account Check Failed : System error May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652690, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 15 17:23:41 fileserv smbd[13001]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.653190, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 15 17:23:41 fileserv smbd[13001]: PAM account restrictions prevent user [john.doe] login May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.668010, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13002]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.674384, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13002]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.696605, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 15 17:23:41 fileserv smbd[13002]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.697795, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 15 17:23:41 fileserv smbd[13002]: smb_pam_error_handler: PAM: Account Check Failed : System error May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.698882, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 15 17:23:41 fileserv smbd[13002]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.700591, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 15 17:23:41 fileserv smbd[13002]: PAM account restrictions prevent user [john.doe] login I will try to ask to sssd-users mailing list. Thank you very much for your help!