[Samba] Domain Member keytabs invalid after Password Change
Chase Whitener
chase.whitener at infotechfl.com
Tue Sep 13 11:50:14 MDT 2011
We have a 2008r2 AD domain. We join Linux machines as domain members using
Samba with Winbind (I'll show all of my config files below). This portion
of our setup works without failures of any kind. However, some of these
machines are web servers for Intranet stuff and we'd like to have SSO
working. For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a
keytab file). So, since we're already joining the machines to the domain
with Samba, we thought it would be smart to just generate the keytab files
with net ads.
export KRB5_KTNAME=FILE:/etc/www.keytab
net ads keytab create -Udomain-admin (requires a password, so this can't be
scripted and run in cron)
net ads keytab add HTTP -Udomain-admin (requires a password, so this can't
be scripted and run in cron)
unset KRB5_KTNAME
chown apache /etc/www.keytab
service httpd restart
However, when Samba changes the machine account's password (seemingly
randomly), those keytab files are no longer valid and have to be
regenerated. Is there some way for those keytab files to be updated
automatically when Samba updates the machine account, or some setting to
stop Samba from updating that password? And alternatively, are we doing
things in a completely wrong way? I apologize for writing a book here, but
without all of the background info, you may not be able to help. Here's my
config files for a machine:
----------------------------------
AD 2008 R2 domain controllers. (ad.foo.com for example purposes)
CentOS 6 domain member:
[root at wolf ~]# yum list installed | grep samba
samba.x86_64 3.5.4-68.el6_0.2 @updates
samba-client.x86_64 3.5.4-68.el6_0.2 @updates
samba-common.x86_64 3.5.4-68.el6_0.2 @updates
samba-winbind.x86_64 3.5.4-68.el6_0.2 @updates
samba-winbind-clients.x86_64
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.FOO.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
clock_skew = 300
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tks_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.infotechfl.com = AD.FOO.COM
infotechfl.com = AD.FOO.COM
.ad.infotechfl.com = AD.FOO.COM
ad.infotechfl.com = AD.FOO.COM
smb.conf
[global]
workgroup = AD
netbios name = Wolf
server string = Wolf
security = ADS
realm = AD.FOO.COM
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
allow trusted domains = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
pam password change = no
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 1000-50000000
idmap gid = 1000-50000000
winbind separator = +
winbind use default domain = yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
template shell = /bin/bash
template homedir = /home/%U
winbind cache time = 3600
winbind refresh tickets = yes
winbind offline logon = false
winbind refresh tickets = yes
client NTLMv2 auth = yes
restrict anonymous = 2
disable netbios = no
#handle charsets
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
#kill printers
load printers = no
show add printer wizard = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[homes]
comment = Home Directories
read only = No
browseable = no
writable = yes
nsswitch.conf is pointing to winbind in the proper places and
/etc/pam.d/pertinent_files are looking at pam_winbind and are therefore not
affected.
Thanks,
Chase
More information about the samba
mailing list