On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba wrote:> Hello dear list, > > I have running a samba instance, users can access the share. > On the Client (name: computer01), the share is connected via > net use x: \\samba01\share01 > > But often I see in the log > "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]" > But this is a computer account and not known on the server. > > Does anybody have any clue why there are such requests are coming > from > the client?No, because posting parts of a log without the context doesn't help.> > Here the config: > Samba version is "4.6.16" - I know, it is an "ancient" version, but > it's the version from the current Enterprise-Server SLES12 from SuSE > > [global] > > # prim. Server Config > server string = samba01 > server min protocol = SMB2 > ntlm auth = no > lanman auth = no > map to guest = Bad User > deadtime = 600 > os level = 1 > > # Active Directory Config > security = ADS > realm = ADDOMAIN.NET > workgroup = ADDOMAIN > encrypt passwords = yes > password server = * > kerberos encryption types = strong > kerberos method = dedicated keytab > dedicated keytab file = /etc/krb5.keytab > allow trusted domains = No > > # local smb client condig > client signing = auto > client use spnego = yes > client lanman auth = no > client NTLMv2 auth = no > client schannel = yes > > # Windbindd > winbind separator = / > winbind cache time = 600 > idmap config * : backend = tdb > idmap config * : range = 10000-20000Is sssd installed ? I would expect 'idmap config ADDOMAIN' lines. rowland
Am Mi., 1. Sept. 2021 um 11:38 Uhr schrieb Rowland Penny via samba <samba at lists.samba.org>:> > On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba wrote: > > Hello dear list, > > > > I have running a samba instance, users can access the share. > > On the Client (name: computer01), the share is connected via > > net use x: \\samba01\share01 > > > > But often I see in the log > > "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]" > > But this is a computer account and not known on the server. > > > > Does anybody have any clue why there are such requests are coming > > from > > the client? > > No, because posting parts of a log without the context doesn't help.Which context is needed? The Client is a Windows 10 Client. I turned logging for all to "9", Can you please guide me, what class and what level? Here a few lines around ... [2021/08/31 14:15:45.713335, 3] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac) Found account name from PAC: CLIENT01$ [CLIENT01$] [2021/08/31 14:15:45.713357, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [CLIENT01$@ADDOMAIN.NET] [2021/08/31 14:15:45.713375, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user ADDOMAIN/CLIENT01$ [2021/08/31 14:15:45.713387, 5] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is addomain/client01$ [2021/08/31 14:15:45.713399, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [ADDOMAIN/CLIENT01$]!> > > > > Here the config: > > Samba version is "4.6.16" - I know, it is an "ancient" version, but > > it's the version from the current Enterprise-Server SLES12 from SuSE > > > > [global] > > > > # prim. Server Config > > server string = samba01 > > server min protocol = SMB2 > > ntlm auth = no > > lanman auth = no > > map to guest = Bad User > > deadtime = 600 > > os level = 1 > > > > # Active Directory Config > > security = ADS > > realm = ADDOMAIN.NET > > workgroup = ADDOMAIN > > encrypt passwords = yes > > password server = * > > kerberos encryption types = strong > > kerberos method = dedicated keytab > > dedicated keytab file = /etc/krb5.keytab > > allow trusted domains = No > > > > # local smb client condig > > client signing = auto > > client use spnego = yes > > client lanman auth = no > > client NTLMv2 auth = no > > client schannel = yes > > > > # Windbindd > > winbind separator = / > > winbind cache time = 600 > > idmap config * : backend = tdb > > idmap config * : range = 10000-20000 > > Is sssd installed ? I would expect 'idmap config ADDOMAIN' lines.I use winbindd and in /etc/nsswitch.conf the two lines passwd: files winbind group: files winbind
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Meike Stone via samba > Verzonden: woensdag 1 september 2021 14:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Principal is a computer account - why > > Am Mi., 1. Sept. 2021 um 11:38 Uhr schrieb Rowland Penny via samba > <samba at lists.samba.org>: > > > > On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba wrote: > > > Hello dear list, > > > > > > I have running a samba instance, users can access the share. > > > On the Client (name: computer01), the share is connected via > > > net use x: \\samba01\share01 > > > > > > But often I see in the log > > > "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]" > > > But this is a computer account and not known on the server. > > >A computer account, of a domain join computer, is a basily, a user account with $ behind it. And kerberos specifies that authentication come from a known machine with a timestamp that matches the authentication server (domain controller). The computer password is how AD ensures that the machine is known. It's not available to the user. I dont see any wrongs in these log part. But you might want to cleanup your smb.conf. Thats one i saw few things as did Rowland. In general, less is better in smb.conf. Greetz, Louis