[Samba] Domain Member keytabs invalid after Password Change

Chase Whitener chase.whitener at infotechfl.com
Mon Sep 19 07:45:49 MDT 2011

Hi Dirk,

No, I haven't gotten any word back yet.  If you have any insight into what I
might be doing incorrectly, it would be greatly appreciated.


On Mon, Sep 19, 2011 at 3:10 AM, Dirk Gouders <
gouders at et.bocholt.fh-gelsenkirchen.de> wrote:

> Chase Whitener <chase.whitener at infotechfl.com> writes:
> > We have a 2008r2 AD domain.  We join Linux machines as domain members
> using
> > Samba with Winbind (I'll show all of my config files below).  This
> portion
> > of our setup works without failures of any kind.  However, some of these
> > machines are web servers for Intranet stuff and we'd like to have SSO
> > working.  For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a
> > keytab file).  So, since we're already joining the machines to the domain
> > with Samba, we thought it would be smart to just generate the keytab
> files
> > with net ads.
> >
> > export KRB5_KTNAME=FILE:/etc/www.keytab
> > net ads keytab create -Udomain-admin  (requires a password, so this can't
> be
> > scripted and run in cron)
> > net ads keytab add HTTP -Udomain-admin  (requires a password, so this
> can't
> > be scripted and run in cron)
> > unset KRB5_KTNAME
> > chown apache /etc/www.keytab
> > service httpd restart
> >
> > However, when Samba changes the machine account's password (seemingly
> > randomly), those keytab files are no longer valid and have to be
> > regenerated.  Is there some way for those keytab files to be updated
> > automatically when Samba updates the machine account, or some setting to
> > stop Samba from updating that password?  And alternatively, are we doing
> > things in a completely wrong way?  I apologize for writing a book here,
> but
> > without all of the background info, you may not be able to help.  Here's
> my
> > config files for a machine:
> Hi Chase,
> I did not see an answer to your question and would like to ask if you
> received any help with your problem or solved it some other way.
> Regards,
> Dirk

More information about the samba mailing list