samba - Jan 2015 - Fwd: Re: Samba4 and sssd, keytab file expires?

Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>> OK, you can get winbind to update your keytab, you need to alter
your
>>> smb.conf slightly. You need to change 'kerberos method =
secrets
>>> only'
>>> to either 'kerberos method = secrets and keytab' or
'kerberos method
>>> >>> system keytab' and add the line
>>> 
>>> 'dedicated keytab file = /etc/krb5.keytab'.
>> 
>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes'
to
>> smb.conf
> 
> Alessandro said to use sssd in the original post. Didn't use that so
> far, but I don't have any evidence that it would read winbind settings
> from smb.conf.
> 
> Regards,
>  - lars.
Exactly, winbind is not used. It was used as a start, but would prefer 
to use sssd.

What I'm not sure is why the kerberos keytab file expires. This does not 
happen on the DC, but only on this member server.

I might schedule a script to update the keytab file, though I'm not sure 
that's the expected behaviour.

Ciao,
Alessandro

On 31/12/14 15:48, Alessandro Briosi wrote:
> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>> OK, you can get winbind to update your keytab, you need to
alter your
>>>> smb.conf slightly. You need to change 'kerberos method =
secrets only'
>>>> to either 'kerberos method = secrets and keytab' or
'kerberos method >>>> system keytab' and add the line
>>>>
>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>
>>> OOPS, I forgot a line, also add 'winbind refresh tickets =
Yes' to
>>> smb.conf
>>
>> Alessandro said to use sssd in the original post. Didn't use that
so
>> far, but I don't have any evidence that it would read winbind
settings
>> from smb.conf.
>>
>> Regards,
>>  - lars.
>
> Exactly, winbind is not used. It was used as a start, but would prefer 
> to use sssd.
>
> What I'm not sure is why the kerberos keytab file expires. This does 
> not happen on the DC, but only on this member server.
>
> I might schedule a script to update the keytab file, though I'm not 
> sure that's the expected behaviour.
>
> Ciao,
> Alessandro
It expires because it was not created on the member server, having said 
that, sssd should be able to update the keytab, I would suggest that 
sssd is not setup correctly and as such, I think that you need to take 
this problem to the sssd mailing list.

If you decide to use winbind, which I can assure you will work, this can 
be set up to do what you need, see my previous posts

Rowland

Am 31.12.2014 um 16:48 schrieb Alessandro Briosi:
> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>> OK, you can get winbind to update your keytab, you need to
alter your
>>>> smb.conf slightly. You need to change 'kerberos method =
secrets only'
>>>> to either 'kerberos method = secrets and keytab' or
'kerberos method >>>> system keytab' and add the line
>>>>
>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>
>>> OOPS, I forgot a line, also add 'winbind refresh tickets =
Yes' to
>>> smb.conf
>>
>> Alessandro said to use sssd in the original post. Didn't use that
so
>> far, but I don't have any evidence that it would read winbind
settings
>> from smb.conf.
>>
>> Regards,
>>  - lars.
>
> Exactly, winbind is not used. It was used as a start, but would prefer
> to use sssd.
>
> What I'm not sure is why the kerberos keytab file expires. This does
not
> happen on the DC, but only on this member server.
>
> I might schedule a script to update the keytab file, though I'm not
sure
> that's the expected behaviour.
Have a look at k5start. This is a daemon, which is made exactly for this 
purpose. Maybe it is even installed on the DC due to different package 
dependencies of the distro.

Regards,
  - lars.

Il 2014-12-31 18:24 Rowland Penny ha scritto:
> 
> It expires because it was not created on the member server, having
> said that, sssd should be able to update the keytab, I would suggest
> that sssd is not setup correctly and as such, I think that you need to
> take this problem to the sssd mailing list.
> 
> If you decide to use winbind, which I can assure you will work, this
> can be set up to do what you need, see my previous posts
> 
> Rowland
Ok, thanks for the clarification.
Winbind works, it was working before (and there's no need for the keytab 
as it's a member server, imho).

I'll try generating the keytab on the member server.

Regards,
Alessandro

Hi Rowland, 

this posting ended a lot of grief I had with expired keytabs. 
While this is presumably an issue of sssd, I have no chance to 
attack the issue right at its root*). But rejoining the domain 
with the lines

   dedicated keytab file = /etc/krb5.memberserver.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes

seems to fix it. Phew... 

Maybe You or someone else could put this information in the 
samba wiki. I posted my problem on the mailing list in mid 
December, but didn't get a single response. But here is the 
solution...

So: Thank You again!

Best regards
Peter


*) I am on Debian Jessie using Jessie's sssd 1.11.7-2. 
This version of sssd is pretty old, but, well, this is 
Debian. Compiling sssd on Debian is next to impossible. 
At least for me: no luck. 



Rowland Penny schrieb am 31.12.2014 18:24:
> On 31/12/14 15:48, Alessandro Briosi wrote:
>> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>>> OK, you can get winbind to update your keytab, you need to
alter your
>>>>> smb.conf slightly. You need to change 'kerberos method
= secrets only'
>>>>> to either 'kerberos method = secrets and keytab' or
'kerberos method >>>>> system keytab' and add the line
>>>>>
>>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>>
>>>> OOPS, I forgot a line, also add 'winbind refresh tickets =
Yes' to
>>>> smb.conf
>>>
>>> Alessandro said to use sssd in the original post. Didn't use
that so
>>> far, but I don't have any evidence that it would read winbind
settings
>>> from smb.conf.
>>>
>>> Regards,
>>>  - lars.
>>
>> Exactly, winbind is not used. It was used as a start, but would prefer 
>> to use sssd.
>>
>> What I'm not sure is why the kerberos keytab file expires. This
does
>> not happen on the DC, but only on this member server.
>>
>> I might schedule a script to update the keytab file, though I'm not
>> sure that's the expected behaviour.
>>
>> Ciao,
>> Alessandro
> 
> It expires because it was not created on the member server, having said 
> that, sssd should be able to update the keytab, I would suggest that 
> sssd is not setup correctly and as such, I think that you need to take 
> this problem to the sssd mailing list.
> 
> If you decide to use winbind, which I can assure you will work, this can 
> be set up to do what you need, see my previous posts
> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>