similar to: Samba4 and sssd, keytab file expires?

On 29/12/14 17:29, Alessandro Briosi wrote: > Hi all. > I have the following setup: > > 1st dc is on CentOS 6 with Sernet samba 4.1.13 > 2nd dc is on Debian 7 with Sernet samba 4.1.13 > > The 2 dc work as expected. > > on CentOS I was able to configure sssd to work > on Debian I'm using winbind > > Now I have a 3rd server which is CentOS 7 with samba 4.1.1

Hi, The short answer to this is that Samba changes the machine account password every 7 days with the default settings. As you were told, if you join the domain with "kerberos method = secrets and keytab" on you smb.conf, the generated keytab won't expire. Another workaround would be to set "machine password timeout = 0" Best regards. On Mon, Dec 29, 2014 at 2:29 PM,

Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>> OK, you can get winbind to update your keytab, you need to alter your >>> smb.conf slightly. You need to change 'kerberos method = secrets >>> only' >>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>> = >>> system keytab' and add the line

Il 2014-12-31 18:24 Rowland Penny ha scritto: > > It expires because it was not created on the member server, having > said that, sssd should be able to update the keytab, I would suggest > that sssd is not setup correctly and as such, I think that you need to > take this problem to the sssd mailing list. > > If you decide to use winbind, which I can assure you will work,

>> Hi, how have you setup the fileserver ? >> Is it joined to the domain ? >> Can you post your fileservers smb.conf >> Rowland OT: Oops, wasn't subscribed to the mailing list :) Yes, server is joined to the domain (otherwise I would not be able to generate the principal) Server configuration is following (only global part), winbind config is there because it was

Hi Rowland, this posting ended a lot of grief I had with expired keytabs. While this is presumably an issue of sssd, I have no chance to attack the issue right at its root*). But rejoining the domain with the lines dedicated keytab file = /etc/krb5.memberserver.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes seems to fix it. Phew... Maybe You or someone

On 31/12/14 09:56, Rowland Penny wrote: > On 31/12/14 08:58, Alessandro Briosi wrote: >>>> Hi, how have you setup the fileserver ? >>>> Is it joined to the domain ? >>>> Can you post your fileservers smb.conf >> >>>> Rowland >> >> OT: Oops, wasn't subscribed to the mailing list :) >> >> Yes, server is joined to

Hello, I have set up IPA on a private network and have hit some bumps configuring sudo access for the clients. kinit seems to work fine for both client and server, user and root. When I run sudo on the server I see the following in /var/log/messages: Oct 17 17:53:52 192-168-0-100 [sssd[krb5_child[29237]]]: Decrypt integrity check failed Oct 17 17:53:52 192-168-0-100 [sssd[krb5_child[29237]]]:

Hello All, I am currently changing my samba linux clients (Debian) from sssd binding to winbind. With sssd I had all sudo rules within the samba active directory. The configuration was based on: https://lists.samba.org/archive/samba/2016-April/199402.html Is there some guideline like the one mentioned available/has someone already experience with this for winbind based clients? Within the

Le 14/05/2019 à 09:12, Rowland penny via samba a écrit : > On 14/05/2019 07:32, Julien TEHERY via samba wrote: >> Le 13/05/2019 à 18:44, Rowland penny via samba a écrit : >>> On 13/05/2019 16:11, Julien TEHERY via samba wrote: >>>> Hi >>>> >>>> I'm trying to find a way to change user passwords from ubuntu >>>> client

Was hoping for a helping hand. Trying to set up Samba on a domain member server. The member server was previously joined to the kerberized domain using realm join and a system keytab file exists in the /etc. Subsequently I added samba along with winbind not being entirely sure if the latter was needed. This is a Redhat 7.4 server. My smb.conf appears as follows. [global] password server = *

Has anyone here managed to get sudo working with Samba 4 AD users, using either ldap or sssd, with sssd preferred? If so, can you please point me in the direction of whatever instructions you used? It seems like there are a bunch of tutorials on the subject, each with different, and sometimes conflicting, information but none of those I've tried work for me. regards, John

On Tue, May 14, 2019 at 3:42 AM Rowland penny via samba <samba at lists.samba.org> wrote: > > On 14/05/2019 08:30, Julien TEHERY via samba wrote: > > Yep I allready tried it, it ends with "kpasswd preauthentication > > failed getting initial ticket" What does "klist" say? And can you run "kinit" to ensure you have a valid ticket? One of my

Hello, This one is nasty... I followed the documentation on configuring sssd: https://wiki.samba.org/index.php/Sssd In the section on extracting the keytab, it says: - Extract the keytab for a domain account (you can use the machines[sic] account for that, too) and make sure it is readable only by root. The following example uses the machine account of the host „DC1“ So, I used the

I have CENTOS7 box with Samba 4.8.3-4 and SSSD 1.16.2-13, authentication against MS Win domain. - Recently, Active Directory authentication stopped working within Samba - Users who try to connect to reach the point of being prompted for AD credentials; failures happen afterward. - All flavors of client OS are affected: Windows, Mac and Linux (via smbclient). - There have been no configuration

Is it possible to specify a list of DCs for Samba to use, rather than have it look them up dynamically via DNS? I have an issue with Kerberos, Samba, and SSSD where my machines stop authenticating after a period of time – preAuthentication errors, etc. I suspect it's because of a "DC mismatch" between the three. Because we have numerous DCs all over the world, I specifically

On Sat, 1 Jul 2017 19:27:09 +0100, Rowland Penny via samba wrote: > On Sat, 01 Jul 2017 14:19:13 -0300 > Guido Lorenzutti wrote: > >> We used to hide some information from our windows group, to make acls only in unix groups. But well.. i think we can start sharing that info with the domain groups. > > You can do something very similar by using ACLs, create groups in AD,

You believe that SSSD is bypassing Samba entirely and going direct to Kerberos? That’s possible. At the moment, to the best of my understanding, Samba is only being used to join the domain. There are no file/printer/etc. shares happening; this is just basic domain join/membership and keytab generation and after that it’s done. The question was still specific to Samba itself: can I specify the DCs

I found adcli a little too late; I plan to use it in the future but for the time being I just deployed 16 VMs using Samba so we’re going to keep that for now! Also, the rest of what I wrote can be disregarded – I figured out exactly why my hosts were failing to authenticate after a period of time. It’s too stupid to admit publicly. On 8/23/16, 3:50 PM, "samba on behalf of Kris Lou via

On 31/12/14 15:48, Alessandro Briosi wrote: > Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>>> OK, you can get winbind to update your keytab, you need to alter your >>>> smb.conf slightly. You need to change 'kerberos method = secrets only' >>>> to either 'kerberos method = secrets and keytab' or 'kerberos method = >>>>