[Samba] krb5.conf file in /var/lib/samba/smb_krb5; Samba 3.0.27a

Eric Roseme eroseme at emonster.rose.hp.com
Thu Feb 28 16:26:31 GMT 2008

Hi Alex,

The reason that I was looking at this was because although I had MD5 
configured in /etc/krb5.conf, Wireshark showed that the AS-REQ/REP, 
TGS-REQ/REP, and the "SMB Session Setup AndX Request" and Response were 
all in RC4.  I could not figure out why until I found the Samba 
krb5.conf.  So it appears that Samba supersedes the /etc/krb5.conf 
enctype and uses RC4.


Alex de Vaal wrote:
> Hello Eric,
> Thnx for your answer, now I know I couldn't find anything about the
> subject... ;-)
> Before I asked the question about the krb5.conf file in
> /var/lib/samba/smb_krb5 I searched all Samba documentation and googled
> around, but I didn't find an answer that satisfied me.
> I already noticed that this file has a link with the gencache.tdb file, I
> played around with this in my test environment (remove the files and start
> the daemons and look what is in it with a binary editor).
> I'd like to understand what the file does, because my Samba domain members
> in the live environment have no DC's in the same IP net, they are all behind
> routers. So I want to know how this works, before I use Samba 3.0.27a in my
> live AD environment.
> BTW; you can see with "netstat -na | grep 445" to which DC the Samba server
> is talking to...
> Regards,
> Alex.
> On Wed, Feb 27, 2008 at 5:52 PM, Eric Roseme <eroseme at emonster.rose.hp.com>
> wrote:
>> I asked a co-worker who attended the Samba workshop last September to
>> pose the following question.  The answer follows (maybe it will help):
>> Q1.       Will the new (3.0.25b) krb5 code (that creates a
>> Samba-specific krb5.conf file) be documented somewhere?
>> A1.  Samba does not have documentation about the Samba-specific
>> krb5.conf that is placed in locking directory. And also, after running
>> kinit to obtain Kerberos ticket, Samba stores the ticket into memory
>> tdb, probbaly gencache.tdb. But Samba doesn't provide a tool to allow
>> users to see which DC Samba is talking to. Currently, we can use klist
>> to see which domain is being used by Samba.
>> Obviously this does not answer your question about how it works, but it
>> might get you closer.
>> Eric Roseme

More information about the samba mailing list