Samba 4 does not find Service Principal Name

Edit: Würde es helfen, wenn ich das ganze in deutsch schreibe? Ich habe das Gefühl, dass für eine stärkere internationale Ausrichtung englisch bevorzugt würde. Wenn dann allerdings Forumsmitglieder entmutigt werden zu antworten, wäre das doppelt doof für mich.

In order to keep it simple I broke down my current problem (Kerberos authenticated NFS 4) in several smaller problems.


  1. UCS Active Directory Domain Controller
  2. Backupserver (not AD Backup or Domain Backup!)

I joined the backupserver to the domain. getent passwd shows results from the AD. I assume the backupserver is successfully integrated into the domain.

On the DC, I added the SPN using samba-tool spn add nfs/ backupserver1$ and checked the success:

root@ucs-addc:~$ samba-tool spn list backupserver1$
INFO: Current debug levels:
  all: 8
  tdb: 8
  printdrivers: 8
  lanman: 8
  smb: 8
  rpc_parse: 8
  rpc_srv: 8
  rpc_cli: 8
  passdb: 8
  sam: 8
  auth: 8
  winbind: 8
  vfs: 8
  idmap: 8
  quota: 8
  acls: 8
  locking: 8
  msdfs: 8
  dmapi: 8
  registry: 8
  scavenger: 8
  dns: 8
  ldb: 8
  tevent: 8
  auth_audit: 8
  auth_json_audit: 8
  kerberos: 8
  drs_repl: 8
  smb2: 8
  smb2_credits: 8
  dsdb_audit: 8
  dsdb_json_audit: 8
  dsdb_password_audit: 8
  dsdb_password_json_audit: 8
  dsdb_transaction_audit: 8
  dsdb_transaction_json_audit: 8
  dsdb_group_audit: 8
  dsdb_group_json_audit: 8
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[global]"
pm_process() returned Yes
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
User CN=backupserver1,CN=Computers,DC=example,DC=com has the following servicePrincipalName: 

I exported the keytab with

samba-tool domain exportkeytab /tmp/backupserver1.keytab --principal=nfs/
samba-tool domain exportkeytab /tmp/backupserver1.keytab --principal=backupserver1$

copied it on the target machine using scp, imported it using ktutil copy backupserver1.keytab /etc/krb5.keytab and checked the success using ktutil list

Current situation

When trying kinit -t /etc/krb5.keytab nfs/, I get

kinit: krb5_get_init_creds: Client (nfs/ unknown

On the kdc –which also is the AD DC–, the log shows

Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:] s[ipv4:] server_id[5773.3][5773]: [2020/10/21 10:44:46.470996,  3, pid=5773] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:] s[ipv4:] server_id[5773.3][5773]:   Kerberos: AS-REQ nfs/ from ipv4: for krbtgt/EXAMPLE.COM@EXAMPLE.COM
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:] s[ipv4:] server_id[5773.3][5773]: [2020/10/21 10:44:46.473125,  3, pid=5773] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:] s[ipv4:] server_id[5773.3][5773]:   Kerberos: UNKNOWN -- nfs/ no such entry found in hdb
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:] s[ipv4:] server_id[5773.3][5773]: [2020/10/21 10:44:46.473218,  2, pid=5773] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:] s[ipv4:] server_id[5773.3][5773]:   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[nfs/] at [Wed, 21 Oct 2020 10:44:46.473207 CEST] with [(null)] status [NT_STATUS_NO_SUCH_USER] workstation [(null)] remote host [ipv4:] mapped to [(null)]\[(null)]. local host [NULL]
Okt 21 10:44:46 ucs-addc samba[5773]: conn[kdc_tcp] c[ipv4:] s[ipv4:] server_id[5773.3][5773]:   {"timestamp": "2020-10-21T10:44:46.473289+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": null, "remoteAddress": "ipv4:", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "nfs/", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": null, "duration": 2367}}

Besides the requesting SPN not being found, it is strange that the log lines state that the client is the IP which is a completely different machine. At least, later in the lines it shows the actual IP

I can concur that my kinit requests reaches the correct kdc. But I don’t understand why the SPN is not found. I see that the request is for krbtgt/EXAMPLE.COM@EXAMPLE.COM (line 2) which might or might not be wrong but I ran my kinit request also with parameter -S backupserver1$ with the same result besides the request now being for backupserver1$@EXAMPLE.COM.


I haven’t checked all of your steps here but there is a dedicated tool for UCS available to create such accounts. I would suggest to use this tool.

Have a look here.


Hi Christian,

thanks for your answer. I went through this script to check if I did anything different (yes, I did). What I noticed is that it checks for and creates if necessary a users/user account. I assume this would work, too, but the orthodox view is to use a computer account for this purpose (NFS between servers), isn’t it?

Of course, I can just make a copy of your script and adapt it accordingly. Shouldn’t hurt.


After some more investigation, it showed that the server indeed was not joined anymore. It only showed outdated information from the AD using getent passwd. I don’t know why this happened but there were a few weeks between joining the server and trying to overhaul my kerberization of NFS.

Luckily, I still had the bash script adapted from Integration of Ubuntu clients into a UCS domain

# Set the IP address of the UCS DC Master, in this example
if [ -z "$1" ]; then
	printf "Please provide the IP address of your DC as first parameter. You might wreck your setup if it's not correct.\n"
	exit 1
	printf "You provided this IP address as DC: %s\n" $1

export MASTER_IP=$1

if [ ! -d /etc/univention ]; then
	mkdir /etc/univention

# Either be logged in using ssh -A for agent forwarding or have
# password authorization for root enabled
printf "Acquiring information from DC via ssh root@%s\n" $MASTER_IP
ssh -n root@${MASTER_IP} 'ucr shell | grep -v ^hostname=' >/etc/univention/ucr_master
echo "master_ip=${MASTER_IP}" >>/etc/univention/ucr_master
chmod 660 /etc/univention/ucr_master
. /etc/univention/ucr_master
echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts

# Download the SSL certificate
mkdir -p /etc/univention/ssl/ucsCA/
wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://${ldap_master}/ucs-root-ca.crt

# Create an account and save the password
password="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c20)"
printf "Creating machine account on DC via ssh root@%s.\n" $MASTER_IP
ssh -n root@${ldap_master} udm computers/linux create \
    --position "cn=computers,${ldap_base}" \
    --set name=$(hostname) --set password="${password}" \
    --set operatingSystem="$(lsb_release -is)" \
    --set operatingSystemVersion="$(lsb_release -rs)"
printf '%s' "$password" >/etc/ldap.secret
chmod 0400 /etc/ldap.secret

# Create ldap.conf
cat >/etc/ldap/ldap.conf <<__EOF__
TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem
URI ldap://$ldap_master:7389
BASE $ldap_base

# Install required packages
DEBIAN_FRONTEND=noninteractive apt-get install -y heimdal-clients ntpdate

# Default krb5.conf
cat >/etc/krb5.conf <<__EOF__
    default_realm = $kerberos_realm
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md4 des3-cbc-sha1 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
    permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1 arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96

$kerberos_realm = {
   kdc = $master_ip $ldap_master
   admin_server = $master_ip $ldap_master
   kpasswd_server = $master_ip $ldap_master

# Synchronize the time with the UCS system
ntpdate -bu $ldap_master

# Test Kerberos: kinit will ask you for a ticket and the SSH login to the master should work with ticket authentication:
kinit Administrator
ssh -n Administrator@$ldap_master ls /etc/univention

# Destroy the kerberos ticket

# Install SSSD based configuration
DEBIAN_FRONTEND=noninteractive apt -y install sssd libnss-sss libpam-sss libsss-sudo

# Create sssd.conf
cat >/etc/sssd/sssd.conf <<__EOF__
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo
domains = $kerberos_realm

reconnection_retries = 3

reconnection_retries = 3

auth_provider = krb5
krb5_kdcip = ${master_ip}
krb5_realm = ${kerberos_realm}
krb5_server = ${ldap_master}
krb5_kpasswd = ${ldap_master}
id_provider = ldap
ldap_uri = ldap://${ldap_master}:7389
ldap_search_base = ${ldap_base}
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=$(hostname),cn=computers,${ldap_base}
ldap_default_authtok_type = password
ldap_default_authtok = $(cat /etc/ldap.secret)
chmod 600 /etc/sssd/sssd.conf

# Install auth-client-config
if [ "Debian" = "$(lsb_release -is)" ]; then
	wget -O /tmp/auth-client-config_0.9ubuntu1_all.deb -nc
	dpkg -i /tmp/auth-client-config_0.9ubuntu1_all.deb
elif [ "Ubuntu" = "$(lsb_release -is)" ]; then
	DEBIAN_FRONTEND=noninteractive apt -y install auth-client-config

# Create an auth config profile for sssd
cat >/etc/auth-client-config/profile.d/sss <<__EOF__
nss_passwd=   passwd:   compat sss
nss_group=    group:    compat sss
nss_shadow=   shadow:   compat
nss_netgroup= netgroup: nis

        auth [success=3 default=ignore] nullok_secure try_first_pass
        auth requisite uid >= 500 quiet
        auth [success=1 default=ignore] use_first_pass
        auth requisite
        auth required

        account required
        account sufficient
        account sufficient uid < 500 quiet
        account [default=bad success=ok user_unknown=ignore]
        account required

        password requisite retry=3
        password sufficient obscure sha512
        password sufficient use_authtok
        password required

        session required skel=/etc/skel/ umask=0077
        session optional revoke
        session required
        session [success=1 default=ignore]
        session required
auth-client-config -a -p sss

# Restart sssd
systemctl restart sssd.service

cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
    required umask=0022 skel=/etc/skel

DEBIAN_FRONTEND=noninteractive pam-auth-update --force

echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev,adm' \

cat >>/usr/share/pam-configs/local_groups <<__EOF__
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
    required use_first_pass

DEBIAN_FRONTEND=noninteractive pam-auth-update --force

It does all the steps outlined in the linked chapter in an order that respects dependencies. Maybe it needs some manual tweaking after it ran but it mostly works.

I just wanted to drop this script here as joining a domain using realmd or adcli seemingly does not do all the necessary steps. I still have to investigate now if the join status has any effect on my Kerberos problem.