[Samba] Keytabs (obviously) not valid after password change
George
jorgito1412 at gmail.com
Sat Aug 16 21:12:58 MDT 2014
Hi team,
I recently deployed some member servers on a Samba4 AD domain, using sssd
for consistent idmapping between servers. Everything works flawlessly,
except that this time I decided to use the member server's machine account
keytab.
I noticed that every 7 days, the keytab "expires" and sssd cannot auth
anymore against the AD. This is related to the fact that by default, every
7 days Samba changes the machine account password which drives the keytab
unusable.
So what would be a *recommended* current best practice here?? Things that
come to mind:
* Use the domain controller account keytab instead, which doesn't seem to
expire (does it? Anyway it sounds like a BAD idea)
* Use a keytab from a user account with the "password never expires" option
enabled
* Set machine password timeout = 0 (my current workaround)
* Set kerberos method = secrets and keytab (it seems that the machine
account password doesn't get changed when this is set. Still, I don't
really auth anything directly towards winbind/kerberos so this shouldn't be
needed)
Perhaps the keytab updating should be done by Samba itself? (see bug 6750).
Any status on whether this is getting into mainstream?
Best regards.
George
More information about the samba
mailing list