[Samba] Domain Member keytabs invalid after Password Change

Chase Whitener chase.whitener at infotechfl.com
Tue Sep 13 11:50:14 MDT 2011

We have a 2008r2 AD domain.  We join Linux machines as domain members using
Samba with Winbind (I'll show all of my config files below).  This portion
of our setup works without failures of any kind.  However, some of these
machines are web servers for Intranet stuff and we'd like to have SSO
working.  For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a
keytab file).  So, since we're already joining the machines to the domain
with Samba, we thought it would be smart to just generate the keytab files
with net ads.

export KRB5_KTNAME=FILE:/etc/www.keytab
net ads keytab create -Udomain-admin  (requires a password, so this can't be
scripted and run in cron)
net ads keytab add HTTP -Udomain-admin  (requires a password, so this can't
be scripted and run in cron)
chown apache /etc/www.keytab
service httpd restart

However, when Samba changes the machine account's password (seemingly
randomly), those keytab files are no longer valid and have to be
regenerated.  Is there some way for those keytab files to be updated
automatically when Samba updates the machine account, or some setting to
stop Samba from updating that password?  And alternatively, are we doing
things in a completely wrong way?  I apologize for writing a book here, but
without all of the background info, you may not be able to help.  Here's my
config files for a machine:


AD 2008 R2 domain controllers.  (ad.foo.com for example purposes)

CentOS 6 domain member:
[root at wolf ~]# yum list installed | grep samba
samba.x86_64          3.5.4-68.el6_0.2  @updates
samba-client.x86_64   3.5.4-68.el6_0.2  @updates
samba-common.x86_64   3.5.4-68.el6_0.2  @updates
samba-winbind.x86_64  3.5.4-68.el6_0.2  @updates

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = AD.FOO.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 clock_skew = 300
 default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
 default_tks_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

  kdc = kerberos.example.com
  admin_server = kerberos.example.com

 .infotechfl.com = AD.FOO.COM
 infotechfl.com = AD.FOO.COM
 .ad.infotechfl.com = AD.FOO.COM
 ad.infotechfl.com = AD.FOO.COM

    workgroup = AD
    netbios name = Wolf
    server string = Wolf
    security = ADS
    realm = AD.FOO.COM

    encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd
    allow trusted domains = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    pam password change = no
    obey pam restrictions = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    dns proxy = no

    idmap uid = 1000-50000000
    idmap gid = 1000-50000000

    winbind separator = +
    winbind use default domain = yes
    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes
    template shell = /bin/bash
    template homedir = /home/%U

    winbind cache time = 3600
    winbind refresh tickets = yes
    winbind offline logon = false
    winbind refresh tickets = yes

    client NTLMv2 auth = yes
    restrict anonymous = 2
    disable netbios = no

    #handle charsets
    dos charset = ASCII
    unix charset = UTF8
    display charset = UTF8

    #kill printers
    load printers = no
    show add printer wizard = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
   comment = Home Directories
   read only = No
   browseable = no
   writable = yes

nsswitch.conf is pointing to winbind in the proper places and
/etc/pam.d/pertinent_files are looking at pam_winbind and are therefore not


More information about the samba mailing list