samba - Dec 2014 - Fwd: Re: Samba4 and sssd, keytab file expires?

On 31/12/14 09:56, Rowland Penny wrote:
> On 31/12/14 08:58, Alessandro Briosi wrote:
>>>> Hi, how have you setup the fileserver ?
>>>> Is it joined to the domain ?
>>>> Can you post your fileservers smb.conf
>>
>>>> Rowland
>>
>> OT: Oops, wasn't subscribed to the mailing list :)
>>
>> Yes, server is joined to the domain (otherwise I would not be able to 
>> generate the principal)
>>
>> Server configuration is following (only global part), winbind config 
>> is there because it was used before sssd (I had troubles with library 
>> paths on CentOS 7 and sssd)
>>
>> [global]
>>    workgroup = DOMAIN
>>    realm = AD.DOMAIN.NET
>>    security = ads
>>    idmap config * : range = 16777216-33554431
>>    template shell = /sbin/nologin
>>    kerberos method = secrets only
>>    netbios name = srvfile1
>>    netbios aliases = srvfile
>>    reset on zero vc = yes
>>
>>    server string >>    encrypt passwords = yes
>>
>>    load printers = no
>>    printing = bsd
>>    printcap name = /dev/null
>>    disable spoolss = yes
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 10000-20000
>>    idmap config DOMAIN:backend = ad
>>    idamp config DOMAIN:schema_mode = rfc2307
>>    idmap config DOMAIN:range = 0-40000
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind offline logon = false
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = Yes
>>    store dos attributes = Yes
>>    create mask = 0770
>
> OK, you can get winbind to update your keytab, you need to alter your 
> smb.conf slightly. You need to change 'kerberos method = secrets
only'
> to either 'kerberos method = secrets and keytab' or 'kerberos
method =
> system keytab' and add the line
>
> 'dedicated keytab file = /etc/krb5.keytab'.
>
> You also have a line twice, 'idmap config * : range = 
> 16777216-33554431' and 'idmap config *:range = 10000-20000',
you
> really shouldn't start the 'DOMAIN' range with '0', it
also overlaps
> with the second 'idmap config *:range'.
>
> Remember to restart samba after making the changes.
>
> Rowland
>
OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
smb.conf

Rowland

>> OK, you can get winbind to update your keytab, you need to alter your
>> smb.conf slightly. You need to change 'kerberos method = secrets
only'
>> to either 'kerberos method = secrets and keytab' or
'kerberos method >> system keytab' and add the line
>>
>> 'dedicated keytab file = /etc/krb5.keytab'.
>
> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
smb.conf
Alessandro said to use sssd in the original post. Didn't use that so 
far, but I don't have any evidence that it would read winbind settings 
from smb.conf.

Regards,
  - lars.

Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>> OK, you can get winbind to update your keytab, you need to alter
your
>>> smb.conf slightly. You need to change 'kerberos method =
secrets
>>> only'
>>> to either 'kerberos method = secrets and keytab' or
'kerberos method
>>> >>> system keytab' and add the line
>>> 
>>> 'dedicated keytab file = /etc/krb5.keytab'.
>> 
>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes'
to
>> smb.conf
> 
> Alessandro said to use sssd in the original post. Didn't use that so
> far, but I don't have any evidence that it would read winbind settings
> from smb.conf.
> 
> Regards,
>  - lars.
Exactly, winbind is not used. It was used as a start, but would prefer 
to use sssd.

What I'm not sure is why the kerberos keytab file expires. This does not 
happen on the DC, but only on this member server.

I might schedule a script to update the keytab file, though I'm not sure 
that's the expected behaviour.

Ciao,
Alessandro