samba suggestions (and whislist, a test with 4.7rc4 on debianstretch )
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 18 14:59:24 UTC 2017
Hai Andrew,
Thank you for the reply.
> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:samba-technical-bounces at lists.samba.org] Namens
> Andrew Bartlett via samba-technical
> Verzonden: donderdag 17 augustus 2017 21:10
> Aan: L.P.H. van Belle; samba-technical at lists.samba.org
> Onderwerp: Re: samba suggestions (and whislist, a test with
> 4.7rc4 on debianstretch )
>
> On Thu, 2017-08-17 at 11:47 +0200, L.P.H. van Belle via
> samba-technical
> wrote:
> > ( keep in mind, i try not to touch original debian files where
> > possible. ) I did add in /etc/krb5.conf default_keytab_name =
> > /var/lib/samba/private/secrets.keytab
>
> You shouldn't need that.
Well, here i dont agree.. Its explained while you read this all.
>
> The things that know they should be using that keytab, which
> is managed by Samba, know where to find it. Other things
> (apache httpd, ssh etc) won't find the right principals (they
> normally look for a host/ thing).
Yes, and what is in the "samba secrets.keytab"
>
> Now, perhaps we should make it easier to share the keytab
> with those services, like folks do on member servers, but we
> don't right now.
Yes, see what i did.. Thats sufficiant.
About this part:
> > ( keep in mind, i try not to touch original debian files where
> > possible. ) I did add in /etc/krb5.conf default_keytab_name =
> > /var/lib/samba/private/secrets.keytab
Is a well tough setting i did, maybe still a wrong one, but i'll explain why.
If im wrong here, let me know, i can only learn from it.
I made this choice, because i needed these spn's from samba's keytab in the system default keytab.
Now i could export these, put them in /etc/krb5.keytab, but why if they are already there in secrets.keytab.
( as klist shows the folling spn from secret.keytab : )
1 HOST/hostname_short at REALM
1 HOST/hostname_fqdn at REALM
1 HOSTNAME$@REALM
Great, all i need for the "machine credentials"...
Normaly, i only do this only on the member servers, by setting these 3 in smb.conf.
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = yes
The why i do that is, rpc.gssd for my nfsv4, is used to find the SPN in the keytab file while trying to obtain machine credentials.
And the default value for the keytab file /etc/krb5.keytab.
The current search order for keytabs to be used for "machine credentials" is now:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
Which make my setup much easier and the keytab refresh is handeled by samba/winbind.
At least, this is how im setup.
But i appriciat any comment on this, as said, we can only learn from it.
Have a good weekend..
Greetz,
Louis
More information about the samba-technical
mailing list