L.P.H. van Belle
2017-Aug-08 14:39 UTC
[Samba] wiki change request. page missing in index.
Im notice the following. When you go to : https://wiki.samba.org/index.php/User_Documentation search site: keytab, nothing :-( I cant find anything about keytabs.. ( not on the first sight ), which i needed... but there is this page, ( google was your friend ) : https://wiki.samba.org/index.php/Generating_Keytabs Can someone add this in the Advanced section and make change where needed. after this part, or if you have a better place, but its usefull info imho. ........ This should print something like this: 'ACCOUNTNAME' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 -------- ^^^^ already on wiki ----- A sAMAccount name can be the hostname of a computer Then you use: net ads enctypes set HOSTNAME$ ! Point of attention: HOSTNAME$. The hostname in "how its defined in your smb.conf, and after you checked the current keytab file. (klist -ke or klist -ke /path_to/your.keytab_file) If the hostname is lowercased, and the netbios name is UPPERCASED, your auth wil fail. for example : kinit -k hostname$ /etc/krb5.keytab not working but : kinit -k HOSTNAME$ /etc/krb5.keytab working Howto use these settings in smb.conf, also a point of attention, this example is not the samba default: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab Please read man smb.conf so you know what these 2 setting exact do. For example, dedicated keytab file setting is used for example when you also need extra UPN/SPN's. This depend on how you use it and how you configure it. NFS is such example. The hostname used also in smb.conf : netbios name = ..... The default is adapt the hostname of the server ( in caps ). ( check: testparm -vs | grep "netbios name" ) check you keytab file. klist -ke |sort ( use sort because is make it easier to see where what is missing, for example to check if you have 5 encryption types. ) net ads keytab create ( used on a domain member ) This recreates the keytab file, based on the location of dedicated keytab file, in this example, /etc/krb5.keytab backup your old keytab file, stop samba/winbind , and recreate the new one. If you did not define dedicated keytab file, the keytab file is in /var/lib/samba/private/secret.keytab (on debian) ! Tip, if you add UPN/SPN's an account, ( for example HOSTNAME$ ) the recreated the keytab now also contains you new SPN/UPN. check again if all encryptions are there. and chech you rights on the keytab file. chmod 640 /etc/krb5.keytab ( its created on debian with 600, i need 640 ) Greetz, Louis
On Tue, Aug 08, 2017 at 04:39:51PM +0200, L.P.H. van Belle via samba wrote:> Im notice the following. > > When you go to : > https://wiki.samba.org/index.php/User_Documentation > search site: keytab, nothing :-(when I just search for "keytab" via the search menu in the menubar on the left it sure finds lots of matches: <https://wiki.samba.org/index.php?title=Special%3ASearch&search=keytab&go=Go>> > I cant find anything about keytabs.. ( not on the first sight ), which i needed... > but there is this page, ( google was your friend ) : https://wiki.samba.org/index.php/Generating_Keytabs > > Can someone add this in the Advanced section and make change where needed. > after this part, or if you have a better place, but its usefull info imho.Better idea: you create a wiki account and update the documentation yourself. Much appreciated! I'll send you the captcha via private email. Cheerio! -slow