I am working on trying to set up Solaris 11 and Linux clients as Samba domain
members with a Win 2008 AD domain controller/directory server. I am also trying
to configure Kerberos for unix level authentication.
I am unclear if Samba can create a keytab file or only use a previously created
on.
With solaris, there is "kclient" command that creates the machine
account on the server and then creates a krb5.keytab on the client machine.
As per earlier e-mails I found that with Solaris, I found that the Kerberos
client and Samba (4.4.8) expected different locations for the krb5.keytab file.
Both the samba "net join" and the solaris "kclient"
command will update the computer account password, which requires that Kerberos
client and samba use the same keytab file.
Setting the following in smb.conf on solaris smb.conf didn't seem have an
effect.
dedicated keytab file = /etc/krb5.keytab
kerberos method = dedicated keytab
On Linux (Fedora Core 25, Samba 4.5.6) I am trying to figure out if/how I can
get Samba to create the krb5.keytab file. By default it doesn't create
one.
I set
dedicated keytab file = /etc/krb5.keytab
kerberos method = dedicated keytab
in the smb.conf BUT no file gets created when I join the domain. (The machine
account is created in the AD domain.)
Setting the following in smb.conf doesn't seem to help either
kerberos method = system keytab
The ktpass utility on Windows is very limited when trying to create a keytab
file with multiple service principals.
I appreciate any advice.
Thanks
-----Original Message-----
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Tuesday, March 21, 2017 8:57 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos
functions
On 03/16/17 15:01, Rowland Penny via samba wrote:> On Thu, 16 Mar 2017 14:48:01 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> Samba expects the keytab file as /etc/krb5.keytab.
>>
>> Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab
>>
>> When samba joins the domain it (probably) updates the machine
>> password and then updates its krb5.keytab file. When connecting
>> via ssh, the system would use a keytab file that had the wrong kvno
>> and probably the wrong password key.
>>
>>
>> The following symlink command fixed ssh logins
>>
>> ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab
>>
> Did you try:
>
> kerberos method = dedicated keytab
> dedicated keytab file = /etc/krb5/krb5.keytab
>
> Rowland
>
I did. It seemed to be ignored. When I join samba to a domain, I
don't know if it will update an existing keytab file or overwrite
it. The symlink seemed an easy workaround.
