samba - Oct 2015 - self compiled samba domain member, jessie, pam config

Hi,

I have the keytab file, it just seems that:

"technically "secrets and keytab" means that samba uses both the 
internal secrets and system keytab file for keytab storage. secrets is 
in memory (so this works even if changing uid). keytab on the other hand 
is only opened when needed."

So I have the keytab, I just needed to chmod g+r for it to be readable 
after "winbindd forks, changes to the uid of the user that is logging
in."

Both quotes above are from the samba bugreport. 
(https://bugzilla.samba.org/show_bug.cgi?id=10490)

And about your line
 >     winbind refresh tickets = Yes # <-- do you have this line
Yes I do. I pretty much took the domain member server smb.conf from the 
wiki.

MJ

On 26-10-2015 21:46, Rowland Penny wrote:
>
> If you don't have the keytab, try leaving the domain and re-joining,
> this should create the keytab, if you do have the keytab, remove it
> then, leave and re-join.

On 26/10/15 21:01, mourik jan c heupink wrote:
> Hi,
>
> I have the keytab file, it just seems that:
>
> "technically "secrets and keytab" means that samba uses both
the
> internal secrets and system keytab file for keytab storage. secrets is 
> in memory (so this works even if changing uid). keytab on the other 
> hand is only opened when needed."
>
> So I have the keytab, I just needed to chmod g+r for it to be readable 
> after "winbindd forks, changes to the uid of the user that is logging 
> in."
>
> Both quotes above are from the samba bugreport. 
> (https://bugzilla.samba.org/show_bug.cgi?id=10490)
>
> And about your line
> >     winbind refresh tickets = Yes # <-- do you have this line
> Yes I do. I pretty much took the domain member server smb.conf from 
> the wiki.
>
> MJ
>
> On 26-10-2015 21:46, Rowland Penny wrote:
>>
>> If you don't have the keytab, try leaving the domain and
re-joining,
>> this should create the keytab, if you do have the keytab, remove it
>> then, leave and re-join.
>
Weird, I have never had Problems (and if I start having them now, I am 
going to blame you :-) ) and this is my keytab permissions:

ls -la /etc/krb5.keytab
-rw------- 1 root root 1732 Oct 14 19:46 /etc/krb5.keytab

Rowland

On 26/10/15 21:01, mourik jan c heupink wrote:
> Hi,
>
> I have the keytab file, it just seems that:
>
> "technically "secrets and keytab" means that samba uses both
the
> internal secrets and system keytab file for keytab storage. secrets is 
> in memory (so this works even if changing uid). keytab on the other 
> hand is only opened when needed."
Hang on a minute, I thought about this and this seemed to be wrong, so I 
went and checked the smb.conf manpage and found this:

            ·   secrets and keytab - use the secrets.(n)tdb first, then the
                system keytab

So, if the manpage is to be believed, secrets is not in memory, it is a 
.tdb file.

Rowland
>
> So I have the keytab, I just needed to chmod g+r for it to be readable 
> after "winbindd forks, changes to the uid of the user that is logging 
> in."
>
> Both quotes above are from the samba bugreport. 
> (https://bugzilla.samba.org/show_bug.cgi?id=10490)
>
> And about your line
> >     winbind refresh tickets = Yes # <-- do you have this line
> Yes I do. I pretty much took the domain member server smb.conf from 
> the wiki.
>
> MJ
>
> On 26-10-2015 21:46, Rowland Penny wrote:
>>
>> If you don't have the keytab, try leaving the domain and
re-joining,
>> this should create the keytab, if you do have the keytab, remove it
>> then, leave and re-join.
>

On 26-10-2015 22:13, Rowland Penny wrote:
>
> Weird, I have never had Problems (and if I start having them now, I am
> going to blame you :-) ) and this is my keytab permissions:
I have no idea, but my testing tonight is on jessie, with samba 4.3.1. 
(and you seem to be on wheezy, if i remember correctly)

Also: I can imagine that permission-wise there could be differences 
between a tdb file (= a more or less an internal db-style 'for and from 
samba only' type of file), opposed to a real filesystem file (keytab) 
with tight permissions.

Anyway... what do I know? You are the expert here. :-)

Thanks for helping me out.