[Samba] Domain Member keytabs invalid after Password Change

Dirk Gouders gouders at et.bocholt.fh-gelsenkirchen.de
Mon Sep 19 01:10:59 MDT 2011

Chase Whitener <chase.whitener at infotechfl.com> writes:

> We have a 2008r2 AD domain.  We join Linux machines as domain members using
> Samba with Winbind (I'll show all of my config files below).  This portion
> of our setup works without failures of any kind.  However, some of these
> machines are web servers for Intranet stuff and we'd like to have SSO
> working.  For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a
> keytab file).  So, since we're already joining the machines to the domain
> with Samba, we thought it would be smart to just generate the keytab files
> with net ads.
> export KRB5_KTNAME=FILE:/etc/www.keytab
> net ads keytab create -Udomain-admin  (requires a password, so this can't be
> scripted and run in cron)
> net ads keytab add HTTP -Udomain-admin  (requires a password, so this can't
> be scripted and run in cron)
> unset KRB5_KTNAME
> chown apache /etc/www.keytab
> service httpd restart
> However, when Samba changes the machine account's password (seemingly
> randomly), those keytab files are no longer valid and have to be
> regenerated.  Is there some way for those keytab files to be updated
> automatically when Samba updates the machine account, or some setting to
> stop Samba from updating that password?  And alternatively, are we doing
> things in a completely wrong way?  I apologize for writing a book here, but
> without all of the background info, you may not be able to help.  Here's my
> config files for a machine:

Hi Chase,

I did not see an answer to your question and would like to ask if you
received any help with your problem or solved it some other way.



More information about the samba mailing list