> > dedicated keytab file = /tmp/krb5.keytab > > For which programs do you use the keytab?I already tried that. But still tries to write at /etc. It seems this parameter used when you have a keytab already. __ Taner Tas
> > > > dedicated keytab file = /tmp/krb5.keytab > > > > For which programs do you use the keytab? > > I already tried that. But still tries to write at /etc. It seems this > parameter used when you have a keytab already. >Ok, It seems I figured it out: Once on nfs-root (server): ln -s /var/lib/samba/krb5.keytab /etc/krb5.keytab Then make this run during boot on client (pre samba and sssd): export KEYTAB="/var/lib/samba/krb5.keytab" [ -f $KEYTAB ] || cat /dev/null > $KEYTAB This way, keytab content created in an existing but an empty file. __ Taner Tas
L.P.H. van Belle
2018-Dec-27 08:10 UTC
[Samba] Generating keytab on a read-only file system
Hai, First, I suggest read : https://wiki.samba.org/index.php/Keytab_Extraction Second, it his for a member or AD-DC? Thats because of the location of the keytab and the ad-dc creates its own keytab file. Thirth, are any other services going to use it? Last, root must be able to write the keytab file. If you place the keytab in an other non-default location like : With : dedicated keytab file = /tmp/krb5.keytab Then dont forget the symlynk to /etc/krb5.keytab also. Most client programs look at the default location /etc/krb5.keytab. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Taner Tas via samba > Verzonden: woensdag 26 december 2018 11:21 > Aan: Chris > CC: Taner Tas via samba > Onderwerp: Re: [Samba] Generating keytab on a read-only file system > > > > > > > > dedicated keytab file = /tmp/krb5.keytab > > > > > > For which programs do you use the keytab? > > > > I already tried that. But still tries to write at /etc. It > seems this > > parameter used when you have a keytab already. > > > > Ok, It seems I figured it out: > > Once on nfs-root (server): > ln -s /var/lib/samba/krb5.keytab /etc/krb5.keytab > > Then make this run during boot on client (pre samba and sssd): > export KEYTAB="/var/lib/samba/krb5.keytab" > [ -f $KEYTAB ] || cat /dev/null > $KEYTAB > > This way, keytab content created in an existing but an empty file. > __ > Taner Tas > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
> First, I suggest read : > https://wiki.samba.org/index.php/Keytab_ExtractionI did.> Second, it his for > a member or AD-DC? Thats because of the location of the keytab and > the ad-dc creates its own keytab file. Thirth, are any other services > going to use it? Last, root must be able to write the keytab file. >They're members. The intent is to auto join clients without manual intervention by using a dedicated user's credentials. This user only granted for adding computers to the desired OU. Diskless clients will use same root fs over nfs. Hostnames will be generated dynamically according to their MAC/IP.> If you place the keytab in an other non-default location like : > With : dedicated keytab file = /tmp/krb5.keytab > > Then dont forget the symlynk to /etc/krb5.keytab also. > Most client programs look at the default location /etc/krb5.keytab. >As I mentioned in other message in thread, I figured it out by creating a symbolic link pointing an empty krb5.keytab file which will be created during boot at a writable location if it doesn't exist on first. Create a symbolic link on root fs: /etc/krb5.keytab -> /var/lib/samba/krb5.keytab (/var/lib/samba folder is rw in this case) During boot via custom initscrit: [ -f /var/lib/samba/krb5.keytab ] || touch /var/lib/samba/krb5.keytab The empty file must be created before samba and sssd services launched. Btw, I have to mention that the samba packages in your repo doesn't work with sssd packages on Stretch. Sssd quits with segfault. Due to this, I switched back to the official Debian builds (4.5.12) in order use sssd ad backend with samba. Probably sssd package suit must be re-compiled against samba packages on van-belle repo. Regards. __ Taner Tas