mourik jan c heupink
2015-Oct-26 21:01 UTC
[Samba] self compiled samba domain member, jessie, pam config
Hi, I have the keytab file, it just seems that: "technically "secrets and keytab" means that samba uses both the internal secrets and system keytab file for keytab storage. secrets is in memory (so this works even if changing uid). keytab on the other hand is only opened when needed." So I have the keytab, I just needed to chmod g+r for it to be readable after "winbindd forks, changes to the uid of the user that is logging in." Both quotes above are from the samba bugreport. (https://bugzilla.samba.org/show_bug.cgi?id=10490) And about your line > winbind refresh tickets = Yes # <-- do you have this line Yes I do. I pretty much took the domain member server smb.conf from the wiki. MJ On 26-10-2015 21:46, Rowland Penny wrote:> > If you don't have the keytab, try leaving the domain and re-joining, > this should create the keytab, if you do have the keytab, remove it > then, leave and re-join.
Rowland Penny
2015-Oct-26 21:13 UTC
[Samba] self compiled samba domain member, jessie, pam config
On 26/10/15 21:01, mourik jan c heupink wrote:> Hi, > > I have the keytab file, it just seems that: > > "technically "secrets and keytab" means that samba uses both the > internal secrets and system keytab file for keytab storage. secrets is > in memory (so this works even if changing uid). keytab on the other > hand is only opened when needed." > > So I have the keytab, I just needed to chmod g+r for it to be readable > after "winbindd forks, changes to the uid of the user that is logging > in." > > Both quotes above are from the samba bugreport. > (https://bugzilla.samba.org/show_bug.cgi?id=10490) > > And about your line > > winbind refresh tickets = Yes # <-- do you have this line > Yes I do. I pretty much took the domain member server smb.conf from > the wiki. > > MJ > > On 26-10-2015 21:46, Rowland Penny wrote: >> >> If you don't have the keytab, try leaving the domain and re-joining, >> this should create the keytab, if you do have the keytab, remove it >> then, leave and re-join. >Weird, I have never had Problems (and if I start having them now, I am going to blame you :-) ) and this is my keytab permissions: ls -la /etc/krb5.keytab -rw------- 1 root root 1732 Oct 14 19:46 /etc/krb5.keytab Rowland
Rowland Penny
2015-Oct-26 21:24 UTC
[Samba] self compiled samba domain member, jessie, pam config
On 26/10/15 21:01, mourik jan c heupink wrote:> Hi, > > I have the keytab file, it just seems that: > > "technically "secrets and keytab" means that samba uses both the > internal secrets and system keytab file for keytab storage. secrets is > in memory (so this works even if changing uid). keytab on the other > hand is only opened when needed."Hang on a minute, I thought about this and this seemed to be wrong, so I went and checked the smb.conf manpage and found this: ยท secrets and keytab - use the secrets.(n)tdb first, then the system keytab So, if the manpage is to be believed, secrets is not in memory, it is a .tdb file. Rowland> > So I have the keytab, I just needed to chmod g+r for it to be readable > after "winbindd forks, changes to the uid of the user that is logging > in." > > Both quotes above are from the samba bugreport. > (https://bugzilla.samba.org/show_bug.cgi?id=10490) > > And about your line > > winbind refresh tickets = Yes # <-- do you have this line > Yes I do. I pretty much took the domain member server smb.conf from > the wiki. > > MJ > > On 26-10-2015 21:46, Rowland Penny wrote: >> >> If you don't have the keytab, try leaving the domain and re-joining, >> this should create the keytab, if you do have the keytab, remove it >> then, leave and re-join. >
mourik jan c heupink
2015-Oct-26 21:42 UTC
[Samba] self compiled samba domain member, jessie, pam config
On 26-10-2015 22:13, Rowland Penny wrote:> > Weird, I have never had Problems (and if I start having them now, I am > going to blame you :-) ) and this is my keytab permissions:I have no idea, but my testing tonight is on jessie, with samba 4.3.1. (and you seem to be on wheezy, if i remember correctly) Also: I can imagine that permission-wise there could be differences between a tdb file (= a more or less an internal db-style 'for and from samba only' type of file), opposed to a real filesystem file (keytab) with tight permissions. Anyway... what do I know? You are the expert here. :-) Thanks for helping me out.
Reasonably Related Threads
- self compiled samba domain member, jessie, pam config
- self compiled samba domain member, jessie, pam config
- self compiled samba domain member, jessie, pam config
- self compiled samba domain member, jessie, pam config
- self compiled samba domain member, jessie, pam config