[Samba] Keytabs (obviously) not valid after password change

L.P.H. van Belle belle at bazuin.nl
Wed Aug 20 04:06:45 MDT 2014 

hmm. 

> I thought 
>the keytab exported via samba-tool was for DNS, not Kerberos.  

Then you thought wrong, can happen... no worries. 
and yes the basic howto is short of some needed settings and explanation also. 
But they are working hard on it, everyone wants something else basicly.. 

these :
  dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   client signing = if_required

should be in the wiki as default setting imo.. 
Saves lots of people lots of troubles.. 


Louis


>-----Oorspronkelijk bericht-----
>Van: ryana at reachtechfp.com 
>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>Verzonden: maandag 18 augustus 2014 0:19
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Keytabs (obviously) not valid after 
>password change
>
>When Rowland had me join my server to the domain it created 
>its own keytab. There was no exporting from the DC. I thought 
>the keytab exported via samba-tool was for DNS, not Kerberos. 
>Then again, I have never had to export it and may be wrong. 
>Either way, each member server should create its own keytab 
>when you join it to your domain, if the configuration specifies one.
>
>
>Sent from my Verizon Wireless 4G LTE smartphone
>
><div>-------- Original message --------</div><div>From: George 
><jorgito1412 at gmail.com> </div><div>Date:2014/08/17  15:34  
>(GMT-05:00) </div><div>To: samba at lists.samba.org 
></div><div>Subject: Re: [Samba] Keytabs (obviously) not valid 
>after password change </div><div>
></div>I am running 4.1.9, with the keytab exported using 
>samba-tool and placed on
>/etc/krb5.keytab
>
>It looked strange that this has been barely mentioned on the 
>lists. Some
>misconfiguration on my side maybe?
>
>Steve, do you have "kerberos method" set on your member servers?
>
>Best regards,
>
>George
>
>On Sun, Aug 17, 2014 at 7:24 AM, steve <steve at steve-ss.com> wrote:
>
>> On Sun, 2014-08-17 at 00:12 -0300, George wrote:
>> >  every
>> > 7 days Samba changes the machine account password which 
>drives the keytab
>> > unusable.
>>
>> Hi
>> 4.1.7 AD with sssd 1.12.0
>> We don't observe that behaviour. sssd uses the machine key 
>of the box it
>> is running upon. Our Linux machines have been up months with the same
>> keytab. Maybe something has changed recently? Anyone else?
>> Cheers,
>> Steve
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list