[Samba] Domain Member keytabs invalid after Password Change

Leigh Wedding leigh.wedding at telstra.com
Sat Dec 3 02:29:03 MST 2011

Chase Whitener <chase.whitener at infotechfl.com> writes:

> Hi Dirk,
> No, I haven't gotten any word back yet.  If you have any insight into what I
> might be doing incorrectly, it would be greatly appreciated.
> Thanks,
> Chase
> On Mon, Sep 19, 2011 at 3:10 AM, Dirk Gouders <
> gouders at et.bocholt.fh-gelsenkirchen.de> wrote:
>> Chase Whitener <chase.whitener at infotechfl.com> writes:
>> > We have a 2008r2 AD domain.  We join Linux machines as domain members
>> using
>> > Samba with Winbind (I'll show all of my config files below).  This
>> portion
>> > of our setup works without failures of any kind.  However, some of these
>> > machines are web servers for Intranet stuff and we'd like to have SSO
>> > working.  For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a
>> > keytab file).  So, since we're already joining the machines to the domain
>> > with Samba, we thought it would be smart to just generate the keytab
>> files
>> > with net ads.
>> >
>> > export KRB5_KTNAME=FILE:/etc/www.keytab
>> > net ads keytab create -Udomain-admin  (requires a password, so this can't
>> be
>> > scripted and run in cron)
>> > net ads keytab add HTTP -Udomain-admin  (requires a password, so this
>> can't
>> > be scripted and run in cron)
>> > unset KRB5_KTNAME
>> > chown apache /etc/www.keytab
>> > service httpd restart
>> >
>> > However, when Samba changes the machine account's password (seemingly
>> > randomly), those keytab files are no longer valid and have to be
>> > regenerated.  Is there some way for those keytab files to be updated
>> > automatically when Samba updates the machine account, or some setting to
>> > stop Samba from updating that password?  And alternatively, are we doing
>> > things in a completely wrong way?  I apologize for writing a book here,
>> but
>> > without all of the background info, you may not be able to help.  Here's
>> my
>> > config files for a machine:
>> Hi Chase,
>> I did not see an answer to your question and would like to ask if you
>> received any help with your problem or solved it some other way.
>> Regards,
>> Dirk


I also wanted to do something similar.  Samba domain member to AD
domain, but I also need /etc/krb5.keytab (on Linux) to allow SSO for
ssh.  Also in my case when samba changes the password, the keytab
file becomes invalid.  There is an option you can set in smb.conf
"machine password timeout", which I assume can be set to 0 to prevent
password changes, however don't know about the security implications of
never changing the password, and if AD will allow that.


More information about the samba mailing list