samba - Feb 2015 - Problem with "kerberos method = secrets and keytab"

Hi,

I'm using the smb.conf from
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
to add a member server as file server to the domain.

If I'm using the original smb.conf with "kerberos method = secrets and 
keytab", I'm not able to see any share on a Windows Client in the
domain. If I
use the default "kerberos method = secrets" everything works. 

Does anyone have an idea why this happens? 

And can someone tell me, why there is a "dedicated keytab file = 
/etc/krb5.keytab" in the smb.conf. I read that the system keytab is used if
"kerberos method = secrets and keytab" was chosen?

-- 
Viele Gr??e
Andreas Hauffe

Hi Andreas, 

I convinced Rowland to change the wiki like that. You might want to check 
out the thread "Samba4 and sssd, keytab file expires?". Read it, and
You
will understand its implications. Even if it works now, it doesn't mean 
that it will work for long...

The first thing I would check is the kerberos setup. I would also check, 
whether DNS is OK for both forward and backward directions. Then I would 
either check sssd or winbind (depending on Your installation). It might 
be worthwhile to do all the checks without the offending entry in smb.conf. 

HTH
Best regards
Peter

PS: it can be pretty frustrating to get it working for the first time. 
But then it is rock solid. It might be a good idea to jump to 4.2.0rc4 - 
nearly all known bugs are fixed... (some might disagree, I am sure...). 
Do You plan to use RFC2307?


Andreas Hauffe schrieb am 11.02.2015 16:39:
> Hi,
> 
> I'm using the smb.conf from
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> to add a member server as file server to the domain.
> 
> If I'm using the original smb.conf with "kerberos method = secrets
and
> keytab", I'm not able to see any share on a Windows Client in the
domain. If I
> use the default "kerberos method = secrets" everything works. 
> 
> Does anyone have an idea why this happens? 
> 
> And can someone tell me, why there is a "dedicated keytab file = 
> /etc/krb5.keytab" in the smb.conf. I read that the system keytab is
used if
> "kerberos method = secrets and keytab" was chosen?
> 
> -- 
> Viele Gr??e
> Andreas Hauffe
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Peter,

thanks for your hints. The point is, that no /etc/krb5.conf was generated
automatically when
joining the domain (told in the wiki). Now I generated one manually and now it
works.

I'm not frustrated at all. I see a lot of advantages for me, even if it
doesn't work. Right now we
have a system with Bind9, OpenLDAP, Kerberos, NFS4, Samba3 on the server side. I
had to
configere each service separatly and then make them work together.

Now all is one service with one wiki and one mailing list, if I'm having
trouble. The different
services inside Samba4 already work together. And up to now I always got a
feedback from the
samba mailing list. So everything is fine! Thanks to all!!

-- 
Viele Gr??e
Andreas Hauffe

Am Donnerstag, 12. Februar 2015, 01:04:59 schrieb Peter
Serbe:
> Hi Andreas,
> 
> I convinced Rowland to change the wiki like that. You might want to check
> out the thread "Samba4 and sssd, keytab file expires?". Read it,
and You
> will understand its implications. Even if it works now, it doesn't mean
> that it will work for long...
> 
> The first thing I would check is the kerberos setup. I would also check,
> whether DNS is OK for both forward and backward directions. Then I would
> either check sssd or winbind (depending on Your installation). It might
> be worthwhile to do all the checks without the offending entry in smb.conf.
> 
> HTH
> Best regards
> Peter
> 
> PS: it can be pretty frustrating to get it working for the first time.
> But then it is rock solid. It might be a good idea to jump to 4.2.0rc4 -
> nearly all known bugs are fixed... (some might disagree, I am sure...).
> Do You plan to use RFC2307?
> 
> Andreas Hauffe schrieb am 11.02.2015 16:39:
> > Hi,
> > 
> > I'm using the smb.conf from
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> > to add a member server as file server to the domain.
> > 
> > If I'm using the original smb.conf with "kerberos method =
secrets and
> > keytab", I'm not able to see any share on a Windows Client in
the domain.
> > If I use the default "kerberos method = secrets" everything
works.
> > 
> > Does anyone have an idea why this happens?
> > 
> > And can someone tell me, why there is a "dedicated keytab file
> > /etc/krb5.keytab" in the smb.conf. I read that the system keytab
is used
> > if
> > "kerberos method = secrets and keytab" was chosen?