samba - Sep 2021 - SOLVED - Principal is a computer account - why

Hello dear list,

I have running a samba instance, users can access the share.
On the Client (name: computer01), the share is connected via
net use x: \\samba01\share01

But often I see in the log
"Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
But this is a computer account and not known on the server.

Does anybody have any clue why there are such requests are coming from
the client?

Here the config:
Samba version is "4.6.16" - I know, it is an "ancient"
version, but
it's the version from the current Enterprise-Server SLES12 from SuSE

[global]

        # prim. Server Config
        server string            = samba01
        server min protocol      = SMB2
        ntlm auth                = no
        lanman auth              = no
        map to guest             = Bad User
        deadtime                 = 600
        os level                 = 1

        # Active Directory Config
        security                  = ADS
        realm                     = ADDOMAIN.NET
        workgroup                 = ADDOMAIN
        encrypt passwords         = yes
        password server           = *
        kerberos encryption types = strong
        kerberos method           = dedicated keytab
        dedicated keytab file     = /etc/krb5.keytab
        allow trusted domains     = No

        # local smb client condig
        client signing      = auto
        client use spnego   = yes
        client lanman auth  = no
        client NTLMv2 auth  = no
        client schannel     = yes

        # Windbindd
        winbind separator          = /
        winbind cache time         = 600
        idmap config * : backend   = tdb
        idmap config * : range     = 10000-20000
        winbind trusted domains only = no
        winbind use default domain = yes
        require strong key         = yes
        winbind enum users         = no
        winbind enum groups        = no
        winbind expand groups      = 0

        # Printspooler Config
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes

        # Logging Configuration
        log level = all:2
        include = /etc/samba/debug/smb.conf.priv.%U



# SHARECONFIG

[share01]
        comment = Client Share
        nt acl support = no
        path = /Data
        acl allow execute always = yes
        directory mask = 0775
        create mask = 0664
        browsable = no
        writable = yes
        public = no
        valid users = @"share01_users at ADDOMAIN.NET"
        force user = localuser
        force group = localgroup



Thanks for helping, Meike

On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba
wrote:
> Hello dear list,
> 
> I have running a samba instance, users can access the share.
> On the Client (name: computer01), the share is connected via
> net use x: \\samba01\share01
> 
> But often I see in the log
> "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
> But this is a computer account and not known on the server.
> 
> Does anybody have any clue why there are such requests are coming
> from
> the client?
No, because posting parts of a log without the context doesn't help.
> 
> Here the config:
> Samba version is "4.6.16" - I know, it is an "ancient"
version, but
> it's the version from the current Enterprise-Server SLES12 from SuSE
> 
> [global]
> 
>         # prim. Server Config
>         server string            = samba01
>         server min protocol      = SMB2
>         ntlm auth                = no
>         lanman auth              = no
>         map to guest             = Bad User
>         deadtime                 = 600
>         os level                 = 1
> 
>         # Active Directory Config
>         security                  = ADS
>         realm                     = ADDOMAIN.NET
>         workgroup                 = ADDOMAIN
>         encrypt passwords         = yes
>         password server           = *
>         kerberos encryption types = strong
>         kerberos method           = dedicated keytab
>         dedicated keytab file     = /etc/krb5.keytab
>         allow trusted domains     = No
> 
>         # local smb client condig
>         client signing      = auto
>         client use spnego   = yes
>         client lanman auth  = no
>         client NTLMv2 auth  = no
>         client schannel     = yes
> 
>         # Windbindd
>         winbind separator          = /
>         winbind cache time         = 600
>         idmap config * : backend   = tdb
>         idmap config * : range     = 10000-20000
Is sssd installed ? I would expect 'idmap config ADDOMAIN' lines.

rowland

On Wed, 2021-09-01 at 11:15 +0200, Meike Stone via samba
wrote:
> Hello dear list,
> 
> I have running a samba instance, users can access the share.
> On the Client (name: computer01), the share is connected via
> net use x: \\samba01\share01
> 
> But often I see in the log
> "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
> But this is a computer account and not known on the server.
> 
> Does anybody have any clue why there are such requests are coming
> from
> the client?
It just does that.  The client PC has an account in AD and will use it
to contact servers for local operations that happen as 'SYSTEM' on that
PC.  The authenticated user will also make contact, and the two
authorized sessions are handled distinctly by Samba.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

Am Mi., 1. Sept. 2021 um 11:15 Uhr schrieb Meike Stone
<meike.stone at googlemail.com>:
>
> Hello dear list,
>
> I have running a samba instance, users can access the share.
> On the Client (name: computer01), the share is connected via
> net use x: \\samba01\share01
>
> But often I see in the log
> "Kerberos ticket principal name is [computer01$@ADDOMAIN.NET]"
> But this is a computer account and not known on the server.
>
> Does anybody have any clue why there are such requests are coming from
> the client?
On the client was a virus scanning engine (kaspersky), who is running
under the system account. That led
to the described "phenomenon". The colleagues who cares for the virus
scanner are now responsible to solve that ...

Thanks all for answering.
Meike

Well, your sure its him that needs todo that.. ;-) 

Please read this also. 
https://wiki.samba.org/index.php/The_SYSTEM_Account 

And yes, your collega can fix it, "if" you can change
 kaspersky to run As Administrator. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Meike Stone via samba
> Verzonden: maandag 6 september 2021 15:15
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] SOLVED - Principal is a computer account - why
> 
> Am Mi., 1. Sept. 2021 um 11:15 Uhr schrieb Meike Stone
> <meike.stone at googlemail.com>:
> >
> > Hello dear list,
> >
> > I have running a samba instance, users can access the share.
> > On the Client (name: computer01), the share is connected via
> > net use x: \\samba01\share01
> >
> > But often I see in the log
> > "Kerberos ticket principal name is
[computer01$@ADDOMAIN.NET]"
> > But this is a computer account and not known on the server.
> >
> > Does anybody have any clue why there are such requests are 
> coming from
> > the client?
> 
> On the client was a virus scanning engine (kaspersky), who is running
> under the system account. That led
> to the described "phenomenon". The colleagues who cares for the
virus
> scanner are now responsible to solve that ...
> 
> Thanks all for answering.
> Meike
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>