[Samba] Keytabs (obviously) not valid after password change

Ryan Ashley ryana at reachtechfp.com
Sun Aug 17 16:18:42 MDT 2014

When Rowland had me join my server to the domain it created its own keytab. There was no exporting from the DC. I thought the keytab exported via samba-tool was for DNS, not Kerberos. Then again, I have never had to export it and may be wrong. Either way, each member server should create its own keytab when you join it to your domain, if the configuration specifies one.

Sent from my Verizon Wireless 4G LTE smartphone

<div>-------- Original message --------</div><div>From: George <jorgito1412 at gmail.com> </div><div>Date:2014/08/17  15:34  (GMT-05:00) </div><div>To: samba at lists.samba.org </div><div>Subject: Re: [Samba] Keytabs (obviously) not valid after password change </div><div>
</div>I am running 4.1.9, with the keytab exported using samba-tool and placed on

It looked strange that this has been barely mentioned on the lists. Some
misconfiguration on my side maybe?

Steve, do you have "kerberos method" set on your member servers?

Best regards,


On Sun, Aug 17, 2014 at 7:24 AM, steve <steve at steve-ss.com> wrote:

> On Sun, 2014-08-17 at 00:12 -0300, George wrote:
> >  every
> > 7 days Samba changes the machine account password which drives the keytab
> > unusable.
> Hi
> 4.1.7 AD with sssd 1.12.0
> We don't observe that behaviour. sssd uses the machine key of the box it
> is running upon. Our Linux machines have been up months with the same
> keytab. Maybe something has changed recently? Anyone else?
> Cheers,
> Steve
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list