Peter Eriksson
2018-Dec-18 09:04 UTC
[Samba] Advantage of 'kerberos method = secrets and keytab' over 'kerberos method = system keytab'
A question regarding the “kerberos method” configuration option in smb.conf: Are there any practical differences between using ’secrets and keytab’ and ’system keytab’? I’ve been running Samba servers using both methods for a long time and both seems to work more or less fine, but since we’re having this “login hickup at 10 hour service ticket expiration problem” I’m trying to find out if this might be one thing that is causing our problems? (Our production servers where we see this problem are using ’system keytab’). I’ve been trying to find some information if one gives some advantages over the other but so far has come up empty… Which one is the preferred setting? - Peter
L.P.H. van Belle
2018-Dec-18 09:35 UTC
[Samba] Advantage of 'kerberos method = secrets and keytab' over 'kerberos method = system keytab'
My question also, im not really clear with the "kerberos method"
options.
In my opinion. I cant think of much that does not need the /etc/krb5.keytab
file.
So i really pro, always having the krb5.keytab file, because it makes life more
easy.
If you only use winbind auth that might be an advantage of system (in-memory)
keytab.
But i need some practical examples for on the settings first, because i'm
not 100% sure
in what all dis-advantages and advantages are.
About the "login hickup at 10 hour service ticket expiration problem"
Your 100% nothing in the network is causing this..
I've seen the problem on the list of you, i'll have an other look at it.
You can try the following. If you now using system keytab. Set this and see if
it works.
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
! Dont forget, you need to have krb5.keytab extracted from AD.
https://wiki.samba.org/index.php/Keytab_Extraction
If you dont have any krb5.keytab file.
kinit Adminsitrator
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
kdestroy
If you have, whats in it?
But please do test this on a test server and not your production.
If you go test on the production make sure you have good backups of the samba.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Peter Eriksson via samba
> Verzonden: dinsdag 18 december 2018 10:05
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Advantage of 'kerberos method = secrets
> and keytab' over 'kerberos method = system keytab'
>
> A question regarding the “kerberos method” configuration
> option in smb.conf:
>
> Are there any practical differences between using ’secrets
> and keytab’ and ’system keytab’?
>
> I’ve been running Samba servers using both methods for a long
> time and both seems to work more or less fine, but since
> we’re having this “login hickup at 10 hour service ticket
> expiration problem” I’m trying to find out if this might be
> one thing that is causing our problems? (Our production
> servers where we see this problem are using ’system keytab’).
>
> I’ve been trying to find some information if one gives some
> advantages over the other but so far has come up empty…
>
> Which one is the preferred setting?
>
> - Peter
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Possibly Parallel Threads
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Problem with keytab: "Client not found in Kerberos database"
- Problem with "kerberos method = secrets and keytab"
- Fail kerberos method = secrets and keytab and net offlinejoin requestodj
- Problem with "kerberos method = secrets and keytab"