of keytabs, kerberos and winbindd
samba at dm.cobite.com
Fri Jul 26 09:51:19 MDT 2013
The subject of this email is actually "borrowed" from a thread from June
2012. In that thread the logistics of having winbind synchronize the
system keytab were discussed. But I believe nothing was done, because
this is my exact problem:
1) if "secrets" is kerberos method, winbind changes the password
according to "machine password timeout" and the system keytab (assuming
it's based on the extracted keytab for the "host/somehost.example.com"
principal on the samba (or other) DC) becomes stale.
2) if anything else is set as "kerberos method", winbind password
changing is disabled. However, with "secrets and keytab" a "net ads
changetrustpw" will update secrets and synchronize the keytab (e.g.
I like the idea of winbind changing the password AND synchronizing the
keytab, but it seems as though a weekly cron to do "net ads
changetrustpw" would do the trick?
Do I have this basically correct?
(Of course I also learned that all of the keytabs for SPN created on the
machine account share the same key and so all of them become invalid at
the same time - but that is a separate issue!)
More information about the samba-technical