[Samba] Keytabs (obviously) not valid after password change

George jorgito1412 at gmail.com
Sat Aug 16 21:12:58 MDT 2014

Hi team,

I recently deployed some member servers on a Samba4 AD domain, using sssd
for consistent idmapping between servers. Everything works flawlessly,
except that this time I decided to use the member server's machine account

I noticed that every 7 days, the keytab "expires" and sssd cannot auth
anymore against the AD. This is related to the fact that by default, every
7 days Samba changes the machine account password which drives the keytab

So what would be a *recommended* current best practice here?? Things that
come to mind:

* Use the domain controller account keytab instead, which doesn't seem to
expire (does it? Anyway it sounds like a BAD idea)
* Use a keytab from a user account with the "password never expires" option
* Set machine password timeout = 0 (my current workaround)
* Set kerberos method = secrets and keytab (it seems that the machine
account password doesn't get changed when this is set. Still, I don't
really auth anything directly towards winbind/kerberos so this shouldn't be

Perhaps the keytab updating should be done by Samba itself? (see bug 6750).
Any status on whether this is getting into mainstream?

Best regards.


More information about the samba mailing list