Alessandro Briosi
2014-Dec-31 15:48 UTC
[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:>>> OK, you can get winbind to update your keytab, you need to alter your >>> smb.conf slightly. You need to change 'kerberos method = secrets >>> only' >>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>> >>> system keytab' and add the line >>> >>> 'dedicated keytab file = /etc/krb5.keytab'. >> >> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to >> smb.conf > > Alessandro said to use sssd in the original post. Didn't use that so > far, but I don't have any evidence that it would read winbind settings > from smb.conf. > > Regards, > - lars.Exactly, winbind is not used. It was used as a start, but would prefer to use sssd. What I'm not sure is why the kerberos keytab file expires. This does not happen on the DC, but only on this member server. I might schedule a script to update the keytab file, though I'm not sure that's the expected behaviour. Ciao, Alessandro
Rowland Penny
2014-Dec-31 17:24 UTC
[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
On 31/12/14 15:48, Alessandro Briosi wrote:> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>>> OK, you can get winbind to update your keytab, you need to alter your >>>> smb.conf slightly. You need to change 'kerberos method = secrets only' >>>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>>> system keytab' and add the line >>>> >>>> 'dedicated keytab file = /etc/krb5.keytab'. >>> >>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to >>> smb.conf >> >> Alessandro said to use sssd in the original post. Didn't use that so >> far, but I don't have any evidence that it would read winbind settings >> from smb.conf. >> >> Regards, >> - lars. > > Exactly, winbind is not used. It was used as a start, but would prefer > to use sssd. > > What I'm not sure is why the kerberos keytab file expires. This does > not happen on the DC, but only on this member server. > > I might schedule a script to update the keytab file, though I'm not > sure that's the expected behaviour. > > Ciao, > AlessandroIt expires because it was not created on the member server, having said that, sssd should be able to update the keytab, I would suggest that sssd is not setup correctly and as such, I think that you need to take this problem to the sssd mailing list. If you decide to use winbind, which I can assure you will work, this can be set up to do what you need, see my previous posts Rowland
Dr. Lars Hanke
2014-Dec-31 18:50 UTC
[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
Am 31.12.2014 um 16:48 schrieb Alessandro Briosi:> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>>> OK, you can get winbind to update your keytab, you need to alter your >>>> smb.conf slightly. You need to change 'kerberos method = secrets only' >>>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>>> system keytab' and add the line >>>> >>>> 'dedicated keytab file = /etc/krb5.keytab'. >>> >>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to >>> smb.conf >> >> Alessandro said to use sssd in the original post. Didn't use that so >> far, but I don't have any evidence that it would read winbind settings >> from smb.conf. >> >> Regards, >> - lars. > > Exactly, winbind is not used. It was used as a start, but would prefer > to use sssd. > > What I'm not sure is why the kerberos keytab file expires. This does not > happen on the DC, but only on this member server. > > I might schedule a script to update the keytab file, though I'm not sure > that's the expected behaviour.Have a look at k5start. This is a daemon, which is made exactly for this purpose. Maybe it is even installed on the DC due to different package dependencies of the distro. Regards, - lars.
Alessandro Briosi
2015-Jan-01 10:22 UTC
[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
Il 2014-12-31 18:24 Rowland Penny ha scritto:> > It expires because it was not created on the member server, having > said that, sssd should be able to update the keytab, I would suggest > that sssd is not setup correctly and as such, I think that you need to > take this problem to the sssd mailing list. > > If you decide to use winbind, which I can assure you will work, this > can be set up to do what you need, see my previous posts > > RowlandOk, thanks for the clarification. Winbind works, it was working before (and there's no need for the keytab as it's a member server, imho). I'll try generating the keytab on the member server. Regards, Alessandro
Hi Rowland, this posting ended a lot of grief I had with expired keytabs. While this is presumably an issue of sssd, I have no chance to attack the issue right at its root*). But rejoining the domain with the lines dedicated keytab file = /etc/krb5.memberserver.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes seems to fix it. Phew... Maybe You or someone else could put this information in the samba wiki. I posted my problem on the mailing list in mid December, but didn't get a single response. But here is the solution... So: Thank You again! Best regards Peter *) I am on Debian Jessie using Jessie's sssd 1.11.7-2. This version of sssd is pretty old, but, well, this is Debian. Compiling sssd on Debian is next to impossible. At least for me: no luck. Rowland Penny schrieb am 31.12.2014 18:24:> On 31/12/14 15:48, Alessandro Briosi wrote: >> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>>>> OK, you can get winbind to update your keytab, you need to alter your >>>>> smb.conf slightly. You need to change 'kerberos method = secrets only' >>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>>>> system keytab' and add the line >>>>> >>>>> 'dedicated keytab file = /etc/krb5.keytab'. >>>> >>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to >>>> smb.conf >>> >>> Alessandro said to use sssd in the original post. Didn't use that so >>> far, but I don't have any evidence that it would read winbind settings >>> from smb.conf. >>> >>> Regards, >>> - lars. >> >> Exactly, winbind is not used. It was used as a start, but would prefer >> to use sssd. >> >> What I'm not sure is why the kerberos keytab file expires. This does >> not happen on the DC, but only on this member server. >> >> I might schedule a script to update the keytab file, though I'm not >> sure that's the expected behaviour. >> >> Ciao, >> Alessandro > > It expires because it was not created on the member server, having said > that, sssd should be able to update the keytab, I would suggest that > sssd is not setup correctly and as such, I think that you need to take > this problem to the sssd mailing list. > > If you decide to use winbind, which I can assure you will work, this can > be set up to do what you need, see my previous posts > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >