samba - Dec 2018 - Generating keytab on a read-only file system

Hai Taner, 
> -----Oorspronkelijk bericht-----
> Van: Taner Tas [mailto:taner76 at gmail.com] 
> Verzonden: donderdag 27 december 2018 12:30
> Aan: L.P.H. van Belle via samba
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Generating keytab on a read-only file system
> 
> 
> 
> 
> > First, I suggest read :
> > https://wiki.samba.org/index.php/Keytab_Extraction 
> 
> I did.
Great, sorry but we need to ask this. Most dont even know about the wiki. 
Good to see you do :-) 
> > Second, it his for
> > a member or AD-DC? Thats because of the location of the keytab and
> > the ad-dc creates its own keytab file. Thirth, are any 
> other services
> > going to use it? Last, root must be able to write the keytab file.
> > 
> They're members. The intent is to auto join clients without manual
> intervention by using a dedicated user's credentials. This user
> only granted for adding computers to the desired OU. Diskless clients
> will use same root fs over nfs. Hostnames will be generated 
> dynamically according to their MAC/IP.
> 
> > If you place the keytab in an other non-default location like : 
> > With :  dedicated keytab file = /tmp/krb5.keytab
> > 
> > Then dont forget the symlynk to /etc/krb5.keytab also. 
> > Most client programs look at the default location /etc/krb5.keytab. 
> >
> 
> As I mentioned in other message in thread, I figured it out 
> by creating
> a symbolic link pointing an empty krb5.keytab file which will 
> be created
> during boot at a writable location if it doesn't exist on first.
> 
> Create a symbolic link on root fs:
> /etc/krb5.keytab -> /var/lib/samba/krb5.keytab
> (/var/lib/samba folder is rw in this case)
> 
> During boot via custom initscrit:
> [ -f /var/lib/samba/krb5.keytab ] || touch /var/lib/samba/krb5.keytab
> 
> The empty file must be created before samba and sssd services 
> launched.
Hmm, i think its good that you read: 
https://www.freedesktop.org/software/systemd/man/systemd.exec.html 

Check  ProtectSystem= PrivateTmp=  ReadWritePaths=  
And basicly the sandboxing part.

> 
> Btw, I have to mention that the samba packages in your repo doesn't
> work with sssd packages on Stretch. Sssd quits with segfault. Due to
> this, I switched back to the official Debian builds (4.5.12) in order
> use sssd ad backend with samba. Probably sssd package suit must be
> re-compiled against samba packages on van-belle repo.
Yes, thats known, i've added a notice on the apt site, thank you for
pointing that out (again).
Now, i've done a litlle check here and if you need sssd with my packages,
you can use the following steps.


# vanbelle repo. 
echo "deb http://apt.van-belle.nl/debian stretch-samba49 main contrib
non-free" > /etc/apt/sources.list.d/van-belle.list

# Enable stretch-backports. 
echo "deb http://ftp.nl.debian.org/debian stretch-backports main contrib
non-free" > /etc/apt/sources.list.d/stretch-backports.list

# Enable testing or SID sources. 
echo "deb http://ftp.nl.debian.org/debian testing main contrib
non-free" > /etc/apt/sources.list.d/testing.list

# 
apt-get update
apt-get install -t stretch-backports debhelper lintian devscripts
build-essential fakeroot dh-systemd libdistro-info-perl quilt -y
apt-get build-dep sssd -y
apt-get source sssd -by 

And wait, until your .deb's are ready. 

The most simple and quick rebuild of sssd. 
You need sssd 1.16 (this was 1.15.2) is minimal with the current samba versions
as far i know.

Greetz, 

Louis

Small correction.  In the deb testing line 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: donderdag 27 december 2018 16:07
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Generating keytab on a read-only file system
> 
> Hai Taner, 
> 
> > -----Oorspronkelijk bericht-----
> > Van: Taner Tas [mailto:taner76 at gmail.com] 
> > Verzonden: donderdag 27 december 2018 12:30
> > Aan: L.P.H. van Belle via samba
> > CC: L.P.H. van Belle
> > Onderwerp: Re: [Samba] Generating keytab on a read-only file system
> > 
> > 
> > 
> > 
> > > First, I suggest read :
> > > https://wiki.samba.org/index.php/Keytab_Extraction 
> > 
> > I did.
> Great, sorry but we need to ask this. Most dont even know 
> about the wiki. 
> Good to see you do :-) 
> 
> > > Second, it his for
> > > a member or AD-DC? Thats because of the location of the keytab
and
> > > the ad-dc creates its own keytab file. Thirth, are any 
> > other services
> > > going to use it? Last, root must be able to write the keytab
file.
> > > 
> > They're members. The intent is to auto join clients without manual
> > intervention by using a dedicated user's credentials. This user
> > only granted for adding computers to the desired OU. 
> Diskless clients
> > will use same root fs over nfs. Hostnames will be generated 
> > dynamically according to their MAC/IP.
> > 
> > > If you place the keytab in an other non-default location like : 
> > > With :  dedicated keytab file = /tmp/krb5.keytab
> > > 
> > > Then dont forget the symlynk to /etc/krb5.keytab also. 
> > > Most client programs look at the default location 
> /etc/krb5.keytab. 
> > >
> > 
> > As I mentioned in other message in thread, I figured it out 
> > by creating
> > a symbolic link pointing an empty krb5.keytab file which will 
> > be created
> > during boot at a writable location if it doesn't exist on first.
> > 
> > Create a symbolic link on root fs:
> > /etc/krb5.keytab -> /var/lib/samba/krb5.keytab
> > (/var/lib/samba folder is rw in this case)
> > 
> > During boot via custom initscrit:
> > [ -f /var/lib/samba/krb5.keytab ] || touch 
> /var/lib/samba/krb5.keytab
> > 
> > The empty file must be created before samba and sssd services 
> > launched.
> 
> Hmm, i think its good that you read: 
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html 
> 
> Check  ProtectSystem= PrivateTmp=  ReadWritePaths=  
> And basicly the sandboxing part.
> 
> 
> > 
> > Btw, I have to mention that the samba packages in your repo
doesn't
> > work with sssd packages on Stretch. Sssd quits with segfault. Due to
> > this, I switched back to the official Debian builds 
> (4.5.12) in order
> > use sssd ad backend with samba. Probably sssd package suit must be
> > re-compiled against samba packages on van-belle repo.
> 
> Yes, thats known, i've added a notice on the apt site, thank 
> you for pointing that out (again).
> Now, i've done a litlle check here and if you need sssd with 
> my packages, you can use the following steps. 
> 
> 
> # vanbelle repo. 
> echo "deb http://apt.van-belle.nl/debian stretch-samba49 main 
> contrib non-free" > /etc/apt/sources.list.d/van-belle.list
> 
> # Enable stretch-backports. 
> echo "deb http://ftp.nl.debian.org/debian stretch-backports 
> main contrib non-free" > 
> /etc/apt/sources.list.d/stretch-backports.list
> 
> # Enable testing or SID sources. 
echo "deb-src http://ftp.nl.debian.org/debian testing main contrib
non-free" > /etc/apt/sources.list.d/testing.list

*( changed deb to deb-src ) 

> 
> # 
> apt-get update
> apt-get install -t stretch-backports debhelper lintian 
> devscripts build-essential fakeroot dh-systemd 
> libdistro-info-perl quilt -y
> apt-get build-dep sssd -y
> apt-get source sssd -by 
> 
> And wait, until your .deb's are ready. 
> 
> The most simple and quick rebuild of sssd. 
> You need sssd 1.16 (this was 1.15.2) is minimal with the 
> current samba versions as far i know. 
> 
> Greetz, 
> 
> Louis
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

> 
> Hmm, i think its good that you read: 
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html 
> 
> Check  ProtectSystem= PrivateTmp=  ReadWritePaths=  
> And basicly the sandboxing part.
I had an opinion about that a systemd based distro won't suit for my
customization needs then I choose Devuan. I'm actually using Devuan
Ascii as nfs root and I already managed sort of things with help of
custom scripts. Because working with SysVinit is much easier than
systemd.
> # vanbelle repo. 
> echo "deb http://apt.van-belle.nl/debian stretch-samba49 main contrib
> non-free" > /etc/apt/sources.list.d/van-belle.list
> 
> # Enable stretch-backports. 
> echo "deb http://ftp.nl.debian.org/debian stretch-backports main
> contrib non-free" > /etc/apt/sources.list.d/stretch-backports.list
> 
> # Enable testing or SID sources. 
> echo "deb-src http://ftp.nl.debian.org/debian testing main contrib
> non-free" > /etc/apt/sources.list.d/testing.list
> 
> # 
> apt-get update
> apt-get install -t stretch-backports debhelper lintian devscripts
> build-essential fakeroot dh-systemd libdistro-info-perl quilt -y
> apt-get build-dep sssd -y apt-get source sssd -by 
> 
> And wait, until your .deb's are ready. 
> 
> The most simple and quick rebuild of sssd. 
> You need sssd 1.16 (this was 1.15.2) is minimal with the current
> samba versions as far i know. 
Thank you for this guide. I hope you really consider to keep compatible
builds of sssd in your repo.

Regards,
__
Taner Tas

On Fri, 28 Dec 2018 12:14:52 +0300
Taner Tas via samba <samba at lists.samba.org> wrote:
> 
> > 
> > Hmm, i think its good that you read: 
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html 
> > 
> > Check  ProtectSystem= PrivateTmp=  ReadWritePaths=  
> > And basicly the sandboxing part.
> 
> I had an opinion about that a systemd based distro won't suit for my
> customization needs then I choose Devuan. I'm actually using Devuan
> Ascii as nfs root and I already managed sort of things with help of
> custom scripts. Because working with SysVinit is much easier than
> systemd.
Using SysVinit isn't really any easier then systemd, it is all the
baggage that comes with systemd that is the problem.

If, like me, you are used to doing things one way and systemd tries to
force you to do them another way, you are going to ask, just what does
this get me ? In most cases, in my opinion, it gets you nothing but
more complexity. I am waiting for systemd-bash, they seem to have come
up with most other things, not bad for something that was supposed to
be a new init system.
 
> > The most simple and quick rebuild of sssd. 
> > You need sssd 1.16 (this was 1.15.2) is minimal with the current
> > samba versions as far i know. 
> 
> Thank you for this guide. I hope you really consider to keep
> compatible builds of sssd in your repo.
I don't think he will, mainly because of two things, he has enough on
his plate producing all the Samba debs and you do not need sssd.

Rowland

> no it is not, you just to refuse learning and don't relize that for
> the few cases where you benefit from a script you can just place it as
> "ExecStart"
 
Wish my situation was simpler as just like "place it as ExecStart". I
won't go into deeper about service orders and runlevels that I have to
deal with. I'm a former systemd user and I have a bit understanding of
its benefits and obstacles as well. I'm actually not a sysvinit fan
neither. I opt for Openrc due to its simplicity.
> please stop claim initscripts are easier and tell the thruth that *for
> you* they are easier because you never botherred about anything else
> and what you don#t know and undersatnd is difficult
As you wish.

Regards
__
Taner Tas