samba suggestions (and whislist, a test with 4.7rc4 on debianstretch )

L.P.H. van Belle belle at bazuin.nl
Fri Aug 18 14:59:24 UTC 2017 

Hai Andrew,

Thank you for the reply. 

> -----Oorspronkelijk bericht-----
> Van: samba-technical 
> [mailto:samba-technical-bounces at lists.samba.org] Namens 
> Andrew Bartlett via samba-technical
> Verzonden: donderdag 17 augustus 2017 21:10
> Aan: L.P.H. van Belle; samba-technical at lists.samba.org
> Onderwerp: Re: samba suggestions (and whislist, a test with 
> 4.7rc4 on debianstretch )
> 
> On Thu, 2017-08-17 at 11:47 +0200, L.P.H. van Belle via 
> samba-technical
> wrote:
> > ( keep in mind, i try not to touch original debian files where 
> > possible. ) I did add in /etc/krb5.conf default_keytab_name = 
> > /var/lib/samba/private/secrets.keytab
> 
> You shouldn't need that.
Well, here i dont agree..  Its explained while you read this all. 

> 
> The things that know they should be using that keytab, which 
> is managed by Samba, know where to find it.  Other things 
> (apache httpd, ssh etc) won't find the right principals (they 
> normally look for a host/ thing).
Yes, and what is in the "samba secrets.keytab" 

> 
> Now, perhaps we should make it easier to share the keytab 
> with those services, like folks do on member servers, but we 
> don't right now.
Yes, see what i did.. Thats sufficiant. 

About this part: 
> > ( keep in mind, i try not to touch original debian files where 
> > possible. ) I did add in /etc/krb5.conf default_keytab_name = 
> > /var/lib/samba/private/secrets.keytab  

Is a well tough setting i did, maybe still a wrong one, but i'll explain why. 
If im wrong here, let me know, i can only learn from it. 

I made this choice, because i needed these spn's from samba's keytab in the system default keytab. 
Now i could export these, put them in /etc/krb5.keytab, but why if they are already there in secrets.keytab. 
( as klist shows the folling spn from secret.keytab :  ) 
   1 HOST/hostname_short at REALM
   1 HOST/hostname_fqdn at REALM
   1 HOSTNAME$@REALM

Great, all i need for the "machine credentials"... 

Normaly, i only do this only on the member servers, by setting these 3 in smb.conf. 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind refresh tickets = yes

The why i do that is, rpc.gssd for my nfsv4, is used to find the SPN in the keytab file while trying to obtain machine credentials.
And the default value for the keytab file /etc/krb5.keytab.

The current search order for keytabs to be used for "machine credentials" is now:
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>

Which make my setup much easier and the keytab refresh is handeled by samba/winbind. 

At least, this is how im setup. 

But i appriciat any comment on this, as said, we can only learn from it. 

Have a good weekend..  

Greetz, 

Louis

More information about the samba-technical mailing list