samba - Feb 2015 - Problem with "kerberos method = secrets and keytab"

Hi Peter,

thanks for your hints. The point is, that no /etc/krb5.conf was generated
automatically when
joining the domain (told in the wiki). Now I generated one manually and now it
works.

I'm not frustrated at all. I see a lot of advantages for me, even if it
doesn't work. Right now we
have a system with Bind9, OpenLDAP, Kerberos, NFS4, Samba3 on the server side. I
had to
configere each service separatly and then make them work together.

Now all is one service with one wiki and one mailing list, if I'm having
trouble. The different
services inside Samba4 already work together. And up to now I always got a
feedback from the
samba mailing list. So everything is fine! Thanks to all!!

-- 
Viele Gr??e
Andreas Hauffe

Am Donnerstag, 12. Februar 2015, 01:04:59 schrieb Peter
Serbe:
> Hi Andreas,
> 
> I convinced Rowland to change the wiki like that. You might want to check
> out the thread "Samba4 and sssd, keytab file expires?". Read it,
and You
> will understand its implications. Even if it works now, it doesn't mean
> that it will work for long...
> 
> The first thing I would check is the kerberos setup. I would also check,
> whether DNS is OK for both forward and backward directions. Then I would
> either check sssd or winbind (depending on Your installation). It might
> be worthwhile to do all the checks without the offending entry in smb.conf.
> 
> HTH
> Best regards
> Peter
> 
> PS: it can be pretty frustrating to get it working for the first time.
> But then it is rock solid. It might be a good idea to jump to 4.2.0rc4 -
> nearly all known bugs are fixed... (some might disagree, I am sure...).
> Do You plan to use RFC2307?
> 
> Andreas Hauffe schrieb am 11.02.2015 16:39:
> > Hi,
> > 
> > I'm using the smb.conf from
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> > to add a member server as file server to the domain.
> > 
> > If I'm using the original smb.conf with "kerberos method =
secrets and
> > keytab", I'm not able to see any share on a Windows Client in
the domain.
> > If I use the default "kerberos method = secrets" everything
works.
> > 
> > Does anyone have an idea why this happens?
> > 
> > And can someone tell me, why there is a "dedicated keytab file
> > /etc/krb5.keytab" in the smb.conf. I read that the system keytab
is used
> > if
> > "kerberos method = secrets and keytab" was chosen?

On 13/02/15 10:26, Andreas Hauffe wrote:
> Hi Peter,
>
> thanks for your hints. The point is, that no /etc/krb5.conf was generated
automatically when
> joining the domain (told in the wiki). Now I generated one manually and now
it works.
/etc/krb5.conf is never created automatically when you join the domain, 
/etc/krb5.keytab is, so can you point to where in the wiki it says that 
the conf file will be created ?
>
> I'm not frustrated at all. I see a lot of advantages for me, even if it
doesn't work. Right now we
> have a system with Bind9, OpenLDAP, Kerberos, NFS4, Samba3 on the server
side. I had to
> configere each service separatly and then make them work together.
>
> Now all is one service with one wiki and one mailing list, if I'm
having trouble. The different
> services inside Samba4 already work together. And up to now I always got a
feedback from the
> samba mailing list. So everything is fine! Thanks to all!!
>
If you are having problems understanding the wiki, please let us know 
what you do not understand and we will try to make it more understandable.

Rowland

Am Freitag, 13. Februar 2015, 11:04:26 schrieb Rowland
Penny:
> On 13/02/15 10:26, Andreas Hauffe wrote:
> > Hi Peter,
> > 
> > thanks for your hints. The point is, that no /etc/krb5.conf was
generated
> > automatically when joining the domain (told in the wiki). Now I
generated
> > one manually and now it works.
> /etc/krb5.conf is never created automatically when you join the domain,
> /etc/krb5.keytab is, so can you point to where in the wiki it says that
> the conf file will be created ?
Oh, no! My mistake, sorry! I wanted to write krb5.keytab but wrote krb5.conf. 
But the krb5.keytab wasn't created automatically.
> 
> > I'm not frustrated at all. I see a lot of advantages for me, even
if it
> > doesn't work. Right now we have a system with Bind9, OpenLDAP,
Kerberos,
> > NFS4, Samba3 on the server side. I had to configere each service
> > separatly and then make them work together.
> > 
> > Now all is one service with one wiki and one mailing list, if I'm
having
> > trouble. The different services inside Samba4 already work together.
And
> > up to now I always got a feedback from the samba mailing list. So
> > everything is fine! Thanks to all!!
> 
> If you are having problems understanding the wiki, please let us know
> what you do not understand and we will try to make it more understandable.
> 
> Rowland
-- 
Viele Gr??e
Andreas Hauffe