samba-tool does not use kerberos ticket
steve
steve at steve-ss.com
Fri Sep 19 09:27:28 MDT 2014
On 19/09/14 13:27, Alexis wrote:
> steve wrote:
>
>> On 19/09/14 11:35, Alexis wrote:
>>> Hello,
>>>
>>> I use samba 4-1.12 as an AD on a opensuse13.1 server.
>>> I use to setup a keberos ticket with
>>> kinit administrator -k -t /usr/local/samba/private/administrator.keytab
>>> and klist -l on opensuse13.1 give:
>>> Principal name Cache name
>>> -------------- ----------
>>> administrator at XXX.XX.XX DIR::/run/user/0/krb5cc/tktiNk96S
>>>
>>>
>>> but for example samba-tool dns serverinfo <server> will ask me password
>>> instead of using this kerberos ticket.
>>>
>>> There was not such an issue when running samba in opensuse12.3 and I
>>> wonder if this is due to user.slice service which was had in openssue13.1
>>> but I don't know where to go from here.
>>>
>>> Maybe some of you had any clue to help me debug this issue.
>>>
>>> Thank you.
>>>
>> Hi
>> Just add:
>> default_ccache_name = /tmp/krb5cc_%{uid}
>> to [libdefaults]
>> in /etc/krb5.conf
>> and forget about systemd.
>> Works here on 13.1
>> HTH,
>> Steve
>>
>>>
>>>
>>>
>>>
>>>
>>>
>
> Thanks a lot you make my day!!!
>
Whilst we're here, there's another big one you may wish to avoid. The
other big kerberos systemd openSUSE problem is that if root has not
already logged in, the directory:
/run/user/0
does not exist and so there is nowhere to put the tickets, even if it
did work. Under systemd all clients which need a root ticket must have
root log in first;) We've thrashed this out on both the krb5 and
opensuse lists: mit don't do systemd and opensuse don't do kerberos.
HTH,
Steve
More information about the samba-technical
mailing list