A sAMAccount name can be the hostname of a computer
Then you use: net ads enctypes set HOSTNAME$
! Point of attention: HOSTNAME$.
The hostname in "how its defined in your smb.conf, and after you checked the current keytab file.
(klist -ke or klist -ke /path_to/your.keytab_file)
If the hostname is lowercased, and the netbios name is UPPERCASED, your auth wil fail.
for example :
kinit -k hostname$ /etc/krb5.keytab not working
kinit -k HOSTNAME$ /etc/krb5.keytab working
Howto use these settings in smb.conf, also a point of attention, this example is not the samba default:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
Please read man smb.conf so you know what these 2 setting exact do.
For example, dedicated keytab file setting is used for example when you also need extra UPN/SPN's.
This depend on how you use it and how you configure it. NFS is such example.
The hostname used also in smb.conf : netbios name = .....
The default is adapt the hostname of the server ( in caps ).
( check: testparm -vs | grep "netbios name" )
check you keytab file.
klist -ke |sort ( use sort because is make it easier to see where what is missing, for example to check if you have 5 encryption types. )
net ads keytab create ( used on a domain member )
This recreates the keytab file, based on the location of dedicated keytab file, in this example, /etc/krb5.keytab
backup your old keytab file, stop samba/winbind , and recreate the new one.
If you did not define dedicated keytab file, the keytab file is in /var/lib/samba/private/secret.keytab (on debian)
! Tip, if you add UPN/SPN's an account, ( for example HOSTNAME$ )
the recreated the keytab now also contains you new SPN/UPN.
check again if all encryptions are there.
and chech you rights on the keytab file.
chmod 640 /etc/krb5.keytab ( its created on debian with 600, i need 640 )
> I cant find anything about keytabs.. ( not on the first sight ), which i needed...
> but there is this page, ( google was your friend ) : https://wiki.samba.org/index.php/Generating_Keytabs >
> Can someone add this in the Advanced section and make change where needed.
> after this part, or if you have a better place, but its usefull info imho.
Better idea: you create a wiki account and update the documentation
yourself. Much appreciated! I'll send you the captcha via private email.