Rowland Penny
2017-Mar-16 19:01 UTC
[Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos functions
On Thu, 16 Mar 2017 14:48:01 -0400 Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> Samba expects the keytab file as /etc/krb5.keytab. > > Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab > > When samba joins the domain it (probably) updates the machine > password and then updates its krb5.keytab file. When connecting > via ssh, the system would use a keytab file that had the wrong kvno > and probably the wrong password key. > > > The following symlink command fixed ssh logins > > ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab >Did you try: kerberos method = dedicated keytab dedicated keytab file = /etc/krb5/krb5.keytab Rowland
Gaiseric Vandal
2017-Mar-21 12:57 UTC
[Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos functions
On 03/16/17 15:01, Rowland Penny via samba wrote:> On Thu, 16 Mar 2017 14:48:01 -0400 > Gaiseric Vandal via samba <samba at lists.samba.org> wrote: > >> Samba expects the keytab file as /etc/krb5.keytab. >> >> Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab >> >> When samba joins the domain it (probably) updates the machine >> password and then updates its krb5.keytab file. When connecting >> via ssh, the system would use a keytab file that had the wrong kvno >> and probably the wrong password key. >> >> >> The following symlink command fixed ssh logins >> >> ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab >> > Did you try: > > kerberos method = dedicated keytab > dedicated keytab file = /etc/krb5/krb5.keytab > > Rowland >I did. It seemed to be ignored. When I join samba to a domain, I don't know if it will update an existing keytab file or overwrite it. The symlink seemed an easy workaround.
Rowland Penny
2017-Mar-21 13:23 UTC
[Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos functions
On Tue, 21 Mar 2017 08:57:22 -0400 Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> > Did you try: > > > > kerberos method = dedicated keytab > > dedicated keytab file = /etc/krb5/krb5.keytab > > > > Rowland > > > > I did. It seemed to be ignored. When I join samba to a domain, I > don't know if it will update an existing keytab file or overwrite > it. The symlink seemed an easy workaround. > >I usually delete the keytab before the join, otherwise the join seems to hang, but this is on Linux. Perhaps on Solaris it does ignore an existing keytab ? Rowland