[OmniOS-discuss] AD krb5.keytab problem
russhan at new-swankton.net
russhan at new-swankton.net
Fri Jul 21 15:28:30 UTC 2017
On 2017-07-21 07:10, Lawrence Giam wrote:
> Hi All,
>
> I have just setup an OmniOS r151014 and join it to an AD, after that I
> keep seeing alot of this error:
> idmap[544]: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Unsupported key table format version number)
>
> I tried to follow this post
> http://solariscat.blogspot.my/2015/01/solaris-11-samba-zfs-configuration-with.html
> but I got an Aborted message.
>
> C:\temp>ktpass -princ host/mysan3.domain.internal at DOMAIN.INTERNAL
> -mapuser domain\serviceuser -crypto All -pass XXXXXXX -ptype
> KRB5_NT_PRINCIPAL -out mysan3.keytab
> Targeting domain controller: mydc01.domain.internal
> Using legacy password setting method
> Successfully mapped host/mysan3.domain.internal to serviceuser.
> Aborted.
>
> No mysan3.keytab file was generated.
>
> Any one got any idea how to solve this or is it ok to ignore?
>
> Thanks & Regards.
I'm not sure but the "Using legacy password setting method" seems to
indicate a SNAFU between how ktpass is processing the password and what
AD is expecting. I don't know enough about Windows and AD to know where
to even begin addressing that.
However, I can chime in with what I do for my Solaris 11 systems at
work:
I create a machine account (ex. COMPUTERNAME) in AD.
C:\temp> ktpass /princ host/computername.domain.tld at DOMAIN.TLD -mapuser
DOMAIN\COMPUTERNAME$ +rndPass /crypto All /out computername.keytab
I personally like having the systems show up in AD as machines instead
of users. And with the +rndPass it's one less password I have to know
and worry about.
-Russ
More information about the OmniOS-discuss
mailing list