[Samba] Domain Member keytabs invalid after Password Change
Chase Whitener
chase.whitener at infotechfl.com
Mon Sep 19 07:45:49 MDT 2011
Hi Dirk,
No, I haven't gotten any word back yet. If you have any insight into what I
might be doing incorrectly, it would be greatly appreciated.
Thanks,
Chase
On Mon, Sep 19, 2011 at 3:10 AM, Dirk Gouders <
gouders at et.bocholt.fh-gelsenkirchen.de> wrote:
> Chase Whitener <chase.whitener at infotechfl.com> writes:
>
> > We have a 2008r2 AD domain. We join Linux machines as domain members
> using
> > Samba with Winbind (I'll show all of my config files below). This
> portion
> > of our setup works without failures of any kind. However, some of these
> > machines are web servers for Intranet stuff and we'd like to have SSO
> > working. For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a
> > keytab file). So, since we're already joining the machines to the domain
> > with Samba, we thought it would be smart to just generate the keytab
> files
> > with net ads.
> >
> > export KRB5_KTNAME=FILE:/etc/www.keytab
> > net ads keytab create -Udomain-admin (requires a password, so this can't
> be
> > scripted and run in cron)
> > net ads keytab add HTTP -Udomain-admin (requires a password, so this
> can't
> > be scripted and run in cron)
> > unset KRB5_KTNAME
> > chown apache /etc/www.keytab
> > service httpd restart
> >
> > However, when Samba changes the machine account's password (seemingly
> > randomly), those keytab files are no longer valid and have to be
> > regenerated. Is there some way for those keytab files to be updated
> > automatically when Samba updates the machine account, or some setting to
> > stop Samba from updating that password? And alternatively, are we doing
> > things in a completely wrong way? I apologize for writing a book here,
> but
> > without all of the background info, you may not be able to help. Here's
> my
> > config files for a machine:
>
> Hi Chase,
>
> I did not see an answer to your question and would like to ask if you
> received any help with your problem or solved it some other way.
>
> Regards,
>
> Dirk
>
More information about the samba
mailing list