* Breaks sshd for kerberos/gssapi login * Breaks sssd for connecting to ldap, as it defaults to /etc/krb5.keytab for all principals, including ldap connect... This is with smb.conf settings: kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab sync machine password to keytab = /etc/krb5.keytab:sync_spns:sync_kvno:machine_password for good compatibility with Unix services. sssd is expecting to find the machine account principal in /etc/krb5.keytab, with form MACHINE$@AD.REALM.ORG, and sshd is looking for the principal 'host/machine.ad.realm.org@AD.REALM.ORG' in /etc/krb5.keytab as well. According to RFC 4120, section 6.1 realm names are upper case, and section 6.1 user principal account names are case sensitive, and section 6.2.1 service principals should have lower cased host names... 6.2.1 specifies that 'host' should be lower case... Thus for sshd it looks for 'host/machine.ad.realm.org@' NOTE: windowsish keytab entries like 'host/MACHINE@AD.REALM.ORG' are also technically not correct for unix... Best idea for unix compatibility in the keytab generation ( for smb.conf sync machine password to keytab parameter): * is for specifier 'sync_spns' to lower case all SPN service principal names left of the '@' * have an additional specifier 'sync_spns_with_account_name' to produce a machine keytab similar to that in Samba 4.20 and previous, suitable for use as '/etc/krb5.keytab'. Previous to Samba 4.21, net ads join/net ads create would produce a keytab with principal names as follows, which actually works: $ sudo ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 host/zion.ad.realm.org@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 host/ZION@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 host/zion.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 host/ZION@AD.REALM.ORG 2 arcfour-hmac-md5 host/zion.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 host/ZION@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 restrictedkrbhost/ZION@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 restrictedkrbhost/ZION@AD.REALM.ORG 2 arcfour-hmac-md5 restrictedkrbhost/zion.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 restrictedkrbhost/ZION@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 nfs/zion.ad.realm.org@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 nfs/ZION@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 nfs/zion.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 nfs/ZION@AD.REALM.ORG 2 arcfour-hmac-md5 nfs/zion.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 nfs/ZION@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 ZION$@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 ZION$@AD.REALM.ORG 2 arcfour-hmac-md5 ZION$@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 cifs/zion.ad.realm.org@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 cifs/ZION@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 cifs/zion.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 cifs/ZION@AD.REALM.ORG 2 arcfour-hmac-md5 cifs/zion.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 cifs/ZION@AD.REALM.ORG Samba 4.21.1+ produces a keytab listing like so: # ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 HOST/SHARON@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 HOST/SHARON@AD.REALM.ORG 2 arcfour-hmac-md5 HOST/SHARON@AD.REALM.ORG 1 aes256-cts-hmac-sha1-96 HOST/SHARON@AD.REALM.ORG 1 aes128-cts-hmac-sha1-96 HOST/SHARON@AD.REALM.ORG 1 arcfour-hmac-md5 HOST/SHARON@AD.REALM.ORG 2 aes256-cts-hmac-sha1-96 HOST/sharon.ad.realm.org@AD.REALM.ORG 2 aes128-cts-hmac-sha1-96 HOST/sharon.ad.realm.org@AD.REALM.ORG 2 arcfour-hmac-md5 HOST/sharon.ad.realm.org@AD.REALM.ORG 1 aes256-cts-hmac-sha1-96 HOST/sharon.ad.realm.org@AD.REALM.ORG 1 aes128-cts-hmac-sha1-96 HOST/sharon.ad.realm.org@AD.REALM.ORG 1 arcfour-hmac-md5 HOST/sharon.ad.realm.org@AD.REALM.ORG Thank you! Samba is a great product. I am just trying to make it better!
Please note that Windows Server does case insensitive compares of the Kerberos service principal 'service/cname', where the service principal is of the form 'service/cname@AD.REALM.ORG'