Alessandro Briosi
2014-Dec-31 08:58 UTC
[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
>> Hi, how have you setup the fileserver ? >> Is it joined to the domain ? >> Can you post your fileservers smb.conf>> RowlandOT: Oops, wasn't subscribed to the mailing list :) Yes, server is joined to the domain (otherwise I would not be able to generate the principal) Server configuration is following (only global part), winbind config is there because it was used before sssd (I had troubles with library paths on CentOS 7 and sssd) [global] workgroup = DOMAIN realm = AD.DOMAIN.NET security = ads idmap config * : range = 16777216-33554431 template shell = /sbin/nologin kerberos method = secrets only netbios name = srvfile1 netbios aliases = srvfile reset on zero vc = yes server string encrypt passwords = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes idmap config *:backend = tdb idmap config *:range = 10000-20000 idmap config DOMAIN:backend = ad idamp config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 0-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind offline logon = false vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes create mask = 0770
Rowland Penny
2014-Dec-31 09:56 UTC
[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
On 31/12/14 08:58, Alessandro Briosi wrote:>>> Hi, how have you setup the fileserver ? >>> Is it joined to the domain ? >>> Can you post your fileservers smb.conf > >>> Rowland > > OT: Oops, wasn't subscribed to the mailing list :) > > Yes, server is joined to the domain (otherwise I would not be able to > generate the principal) > > Server configuration is following (only global part), winbind config > is there because it was used before sssd (I had troubles with library > paths on CentOS 7 and sssd) > > [global] > workgroup = DOMAIN > realm = AD.DOMAIN.NET > security = ads > idmap config * : range = 16777216-33554431 > template shell = /sbin/nologin > kerberos method = secrets only > netbios name = srvfile1 > netbios aliases = srvfile > reset on zero vc = yes > > server string > encrypt passwords = yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > idmap config *:backend = tdb > idmap config *:range = 10000-20000 > idmap config DOMAIN:backend = ad > idamp config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 0-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind offline logon = false > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > create mask = 0770OK, you can get winbind to update your keytab, you need to alter your smb.conf slightly. You need to change 'kerberos method = secrets only' to either 'kerberos method = secrets and keytab' or 'kerberos method = system keytab' and add the line 'dedicated keytab file = /etc/krb5.keytab'. You also have a line twice, 'idmap config * : range = 16777216-33554431' and 'idmap config *:range = 10000-20000', you really shouldn't start the 'DOMAIN' range with '0', it also overlaps with the second 'idmap config *:range'. Remember to restart samba after making the changes. Rowland
Rowland Penny
2014-Dec-31 12:28 UTC
[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
On 31/12/14 09:56, Rowland Penny wrote:> On 31/12/14 08:58, Alessandro Briosi wrote: >>>> Hi, how have you setup the fileserver ? >>>> Is it joined to the domain ? >>>> Can you post your fileservers smb.conf >> >>>> Rowland >> >> OT: Oops, wasn't subscribed to the mailing list :) >> >> Yes, server is joined to the domain (otherwise I would not be able to >> generate the principal) >> >> Server configuration is following (only global part), winbind config >> is there because it was used before sssd (I had troubles with library >> paths on CentOS 7 and sssd) >> >> [global] >> workgroup = DOMAIN >> realm = AD.DOMAIN.NET >> security = ads >> idmap config * : range = 16777216-33554431 >> template shell = /sbin/nologin >> kerberos method = secrets only >> netbios name = srvfile1 >> netbios aliases = srvfile >> reset on zero vc = yes >> >> server string >> encrypt passwords = yes >> >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> idmap config *:backend = tdb >> idmap config *:range = 10000-20000 >> idmap config DOMAIN:backend = ad >> idamp config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 0-40000 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind offline logon = false >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> create mask = 0770 > > OK, you can get winbind to update your keytab, you need to alter your > smb.conf slightly. You need to change 'kerberos method = secrets only' > to either 'kerberos method = secrets and keytab' or 'kerberos method = > system keytab' and add the line > > 'dedicated keytab file = /etc/krb5.keytab'. > > You also have a line twice, 'idmap config * : range = > 16777216-33554431' and 'idmap config *:range = 10000-20000', you > really shouldn't start the 'DOMAIN' range with '0', it also overlaps > with the second 'idmap config *:range'. > > Remember to restart samba after making the changes. > > Rowland >OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to smb.conf Rowland