[Samba] krb5.conf file in /var/lib/samba/smb_krb5; Samba 3.0.27a
Eric Roseme
eroseme at emonster.rose.hp.com
Thu Feb 28 16:26:31 GMT 2008
Hi Alex,
The reason that I was looking at this was because although I had MD5
configured in /etc/krb5.conf, Wireshark showed that the AS-REQ/REP,
TGS-REQ/REP, and the "SMB Session Setup AndX Request" and Response were
all in RC4. I could not figure out why until I found the Samba
krb5.conf. So it appears that Samba supersedes the /etc/krb5.conf
enctype and uses RC4.
Eric
Alex de Vaal wrote:
> Hello Eric,
>
> Thnx for your answer, now I know I couldn't find anything about the
> subject... ;-)
> Before I asked the question about the krb5.conf file in
> /var/lib/samba/smb_krb5 I searched all Samba documentation and googled
> around, but I didn't find an answer that satisfied me.
> I already noticed that this file has a link with the gencache.tdb file, I
> played around with this in my test environment (remove the files and start
> the daemons and look what is in it with a binary editor).
>
> I'd like to understand what the file does, because my Samba domain members
> in the live environment have no DC's in the same IP net, they are all behind
> routers. So I want to know how this works, before I use Samba 3.0.27a in my
> live AD environment.
>
> BTW; you can see with "netstat -na | grep 445" to which DC the Samba server
> is talking to...
>
> Regards,
> Alex.
>
>
>
> On Wed, Feb 27, 2008 at 5:52 PM, Eric Roseme <eroseme at emonster.rose.hp.com>
> wrote:
>
>> I asked a co-worker who attended the Samba workshop last September to
>> pose the following question. The answer follows (maybe it will help):
>>
>> Q1. Will the new (3.0.25b) krb5 code (that creates a
>> Samba-specific krb5.conf file) be documented somewhere?
>>
>>
>> A1. Samba does not have documentation about the Samba-specific
>> krb5.conf that is placed in locking directory. And also, after running
>> kinit to obtain Kerberos ticket, Samba stores the ticket into memory
>> tdb, probbaly gencache.tdb. But Samba doesn't provide a tool to allow
>> users to see which DC Samba is talking to. Currently, we can use klist
>> to see which domain is being used by Samba.
>>
>> Obviously this does not answer your question about how it works, but it
>> might get you closer.
>>
>> Eric Roseme
>>
More information about the samba
mailing list