Andrea Cucciarre'
2021-Jan-28 11:48 UTC
[Samba] Samba doesn't honor the setting "dedicated keytab file"
Hello, I am running Samba on Ubuntu as a DC member: Version 4.11.6-Ubuntu I have also installed the packages as recommended here: https://wiki.samba.org/index.php/Distribution-specific_Package_Installation I want the keytab file to be stored on a specific path so I have used the setting: dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab However when join the domain the krb5.keytab is created in /etc/krb5.keytab, not the path I have request. Below my smb.conf global section: [global] security = ads realm = HF4.LOCAL workgroup = HF4 netbios name = hf-andrea-1-788 log file = /hyperfile/gluster-cache/logs/winbindd/1/log.%I idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config HF4 : backend = rid idmap config HF4 : range = 10000-999999 log level = 5 max log size = 10000 winbind refresh tickets = Yes winbind offline logon = true vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab kerberos method = secrets and keytab client signing = yes client use spnego = yes template shell = /bin/bash template homedir = /home/%U logging = file server role = standalone server map to guest = bad user usershare allow guests = no Any advice on how to fix it? -- Regards Andrea Cucciarre'
Rowland penny
2021-Jan-28 12:17 UTC
[Samba] Samba doesn't honor the setting "dedicated keytab file"
On 28/01/2021 11:48, Andrea Cucciarre' via samba wrote:> Hello, > > I am running Samba on Ubuntu as a DC member: > > Version 4.11.6-Ubuntu > > I have also installed the packages as recommended here: > > https://wiki.samba.org/index.php/Distribution-specific_Package_Installation > > > I want the keytab file to be stored on a specific path so I have used > the setting: > > dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab > > However when join the domain the krb5.keytab is created in > /etc/krb5.keytab, not the path I have request. > Below my smb.conf global section: > > [global] > security = ads > realm = HF4.LOCAL > workgroup = HF4 > netbios name = hf-andrea-1-788 > log file = /hyperfile/gluster-cache/logs/winbindd/1/log.%I > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config HF4 : backend = rid > idmap config HF4 : range = 10000-999999 > log level = 5 > max log size = 10000 > winbind refresh tickets = Yes > winbind offline logon = true > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab > kerberos method = secrets and keytab > client signing = yes > client use spnego = yes > template shell = /bin/bash > template homedir = /home/%U > logging = file > server role = standalone server > map to guest = bad user > usershare allow guests = no > > Any advice on how to fix it? >Try reading 'man smb.conf', where you will find that the keytab in 'secrets and keytab' isn't the 'dedicated keytab'. I have never tried it, but I think you would have to have 'kerberos method = dedicated keytab' in smb.conf before the join to get the keytab created where you require it. However, even if this works, I wouldn't recommend it. Just copy the keytab to the required location. Finally, where did you get the idea that adding 'server role = standalone server' to the smb.conf of a Unix domain member was okay ? If it came from a website somewhere, can you supply a link. Rowland