[Samba] Generating keytab on a read-only file system

Rowland Penny rpenny at samba.org
Thu Dec 27 11:40:38 UTC 2018 

On Thu, 27 Dec 2018 14:29:59 +0300
Taner Tas via samba <samba at lists.samba.org> wrote:

> 
> 
> 
> > First, I suggest read :
> > https://wiki.samba.org/index.php/Keytab_Extraction 
> 
> I did.
> 
> > Second, it his for
> > a member or AD-DC? Thats because of the location of the keytab and
> > the ad-dc creates its own keytab file. Thirth, are any other
> > services going to use it? Last, root must be able to write the
> > keytab file.
> > 
> They're members. The intent is to auto join clients without manual
> intervention by using a dedicated user's credentials. This user
> only granted for adding computers to the desired OU. Diskless clients
> will use same root fs over nfs. Hostnames will be generated
> dynamically according to their MAC/IP.
> 
> > If you place the keytab in an other non-default location like : 
> > With :  dedicated keytab file = /tmp/krb5.keytab
> > 
> > Then dont forget the symlynk to /etc/krb5.keytab also. 
> > Most client programs look at the default location /etc/krb5.keytab. 
> >
> 
> As I mentioned in other message in thread, I figured it out by
> creating a symbolic link pointing an empty krb5.keytab file which
> will be created during boot at a writable location if it doesn't
> exist on first.
> 
> Create a symbolic link on root fs:
> /etc/krb5.keytab -> /var/lib/samba/krb5.keytab
> (/var/lib/samba folder is rw in this case)
> 
> During boot via custom initscrit:
> [ -f /var/lib/samba/krb5.keytab ] || touch /var/lib/samba/krb5.keytab
> 
> The empty file must be created before samba and sssd services
> launched.
> 
> Btw, I have to mention that the samba packages in your repo doesn't
> work with sssd packages on Stretch. Sssd quits with segfault. Due to
> this, I switched back to the official Debian builds (4.5.12) in order
> use sssd ad backend with samba. Probably sssd package suit must be
> re-compiled against samba packages on van-belle repo.
> 
> Regards.
> 
> __
> Taner Tas
> 

Why do you feel you need sssd ?
Winbind will mostly do everything on a Unix domain member that sssd
does and what it doesn't do, there are other ways of doing them.

Rowland

More information about the samba mailing list