I am having this problem with kerberos in opensuse leap 42.3 when joined to a samba domain controller version 4.7, it has joined and created the machine account in the server and I can chgrp with the “domain users” group.
**administrator@linux-xg8g:~> klist **
klist: Credentials cache permissions incorrect
**administrator@linux-xg8g:~> kinit**
Password for administrator@SIENIC.SITE:
kinit: Internal credentials cache error while storing credentials while getting initial credentials
**administrator@linux-xg8g:~> wbinfo -u**
dns-smb4server01
administrator
krbtgt
guest
**administrator@linux-xg8g:~> wbinfo -g**
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
**administrator@linux-xg8g:~> getent passwd "administrator"**
administrator:*:10000:10002::/home/SIENIC/administrator:/bin/bash
**administrator@linux-xg8g:~> getent group**
root:x:0:
bin:x:1:daemon
daemon:x:2:
sys:x:3:
tty:x:5:
disk:x:6:
lp:x:7:
www:x:8:
kmem:x:9:
wheel:x:10:
mail:x:12:postfix
news:x:13:
uucp:x:14:
shadow:x:15:vnc
dialout:x:16:
audio:x:17:pulse
floppy:x:19:
cdrom:x:20:
console:x:21:
utmp:x:22:
public:x:32:
video:x:33:
games:x:40:
xok:x:41:
trusted:x:42:
modem:x:43:
ftp:x:49:
lock:x:54:
man:x:62:
users:x:100:
nobody:x:65533:
nogroup:x:65534:nobody
messagebus:x:499:
sshd:x:498:
tape:x:497:
polkitd:x:496:
nscd:x:495:
mysql:x:494:
avahi-autoipd:x:493:
systemd-journal:x:492:
systemd-bus-proxy:x:490:
systemd-timesync:x:491:
input:x:489:
svn:x:488:
pesign:x:487:
ntp:x:486:
tftp:x:485:tftp,dnsmasq
at:x:25:
vnc:x:484:
ntadmin:x:71:
rtkit:x:483:
pulse:x:482:
pulse-access:x:481:
postfix:x:51:
maildrop:x:59:postfix
avahi:x:480:
nm-openvpn:x:479:
sddm:x:478:
adm:x:477:
nagios:x:476:
nagcmd:x:475:nagios,wwwrun
quagga:x:474:
winbind:x:473:
allowed rodc password replication group:x:10011:
enterprise read-only domain controllers:x:10012:
denied rodc password replication group:x:10004:
read-only domain controllers:x:10013:
group policy creator owners:x:10007:
ras and ias servers:x:10014:
domain controllers:x:10015:
enterprise admins:x:10006:
domain computers:x:10016:
cert publishers:x:10017:
dnsupdateproxy:x:10018:
domain admins:x:10003:
domain guests:x:10019:
schema admins:x:10005:
domain users:x:10002:
dnsadmins:x:10020:
**administrator@linux-xg8g:~> getent passwd**
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:481:480:User for Avahi:/run/avahi-daemon:/bin/false
avahi-autoipd:x:493:493:User for Avahi IPv4LL:/var/lib/avahi-autoipd:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:486:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:499:499:User for D-Bus:/run/dbus:/bin/false
mysql:x:60:494:MySQL database admin:/var/lib/mysql:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nm-openvpn:x:480:479:NetworkManager user for OpenVPN:/var/lib/openvpn:/sbin/nologin
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
nscd:x:496:495:User for nscd:/run/nscd:/sbin/nologin
ntp:x:74:486:NTP daemon:/var/lib/ntp:/bin/false
openslp:x:494:2:openslp daemon:/var/lib/empty:/sbin/nologin
pesign:x:488:487:PE-COFF signing daemon:/var/lib/pesign:/bin/false
polkitd:x:497:496:User for polkitd:/var/lib/polkit:/sbin/nologin
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:482:482:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rpc:x:495:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
rtkit:x:483:483:RealtimeKit:/proc:/bin/false
sddm:x:479:478:SDDM daemon:/var/lib/sddm:/bin/false
sshd:x:498:498:SSH daemon:/var/lib/sshd:/bin/false
statd:x:484:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
svn:x:489:488:user for Apache Subversion svnserve:/srv/svn:/sbin/nologin
systemd-bus-proxy:x:490:490:systemd Bus Proxy:/:/sbin/nologin
systemd-timesync:x:491:491:systemd Time Synchronization:/:/sbin/nologin
tftp:x:487:485:TFTP account:/srv/tftpboot:/bin/false
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
vnc:x:485:484:user for VNC:/var/lib/empty:/sbin/nologin
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
eduardo:x:1000:100:Eduardo Sotomayor:/home/eduardo:/bin/bash
nagios:x:478:476:User for Nagios:/var/lib/nagios:/bin/false
quagga:x:477:474:Quagga routing daemon:/run/quagga:/usr/bin/false
dns-smb4server01:*:10001:10002::/home/SIENIC/dns-smb4server01:/bin/bash
administrator:*:10000:10002::/home/SIENIC/administrator:/bin/bash
krbtgt:*:10002:10002::/home/SIENIC/krbtgt:/bin/bash
guest:*:10003:10002::/home/SIENIC/guest:/bin/bash
administrator@linux-xg8g:~>
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
workgroup = SIENIC
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
kerberos method = secrets and keytab
security = ADS
realm = SIENIC.SITE
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
bind interfaces only = yes
interfaces = lo eth0
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = SIENIC.SITE
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
clockskew = 300
# default_realm = EXAMPLE.COM
[realms]
SIENIC.SITE = {
kdc = smb4server01.sienic.site
default_domain = sienic.site
admin_server = smb4server01.sienic.site
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.sienic.site = SIENIC.SITE
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}