[Samba] Keytabs (obviously) not valid after password change
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 20 04:09:07 MDT 2014
and...
i forgot to mention.
Im using the default password policy for my AD.
and i didnt have any problems with my keytabs on all my servers.
are all you server time in sync?
Louis
>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: woensdag 20 augustus 2014 12:07
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Keytabs (obviously) not valid after
>password change
>
>hmm.
>
>> I thought
>>the keytab exported via samba-tool was for DNS, not Kerberos.
>
>Then you thought wrong, can happen... no worries.
>and yes the basic howto is short of some needed settings and
>explanation also.
>But they are working hard on it, everyone wants something else
>basicly..
>
>these :
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
>
>should be in the wiki as default setting imo..
>Saves lots of people lots of troubles..
>
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: ryana at reachtechfp.com
>>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>Verzonden: maandag 18 augustus 2014 0:19
>>Aan: samba at lists.samba.org
>>Onderwerp: Re: [Samba] Keytabs (obviously) not valid after
>>password change
>>
>>When Rowland had me join my server to the domain it created
>>its own keytab. There was no exporting from the DC. I thought
>>the keytab exported via samba-tool was for DNS, not Kerberos.
>>Then again, I have never had to export it and may be wrong.
>>Either way, each member server should create its own keytab
>>when you join it to your domain, if the configuration specifies one.
>>
>>
>>Sent from my Verizon Wireless 4G LTE smartphone
>>
>><div>-------- Original message --------</div><div>From: George
>><jorgito1412 at gmail.com> </div><div>Date:2014/08/17 15:34
>>(GMT-05:00) </div><div>To: samba at lists.samba.org
>></div><div>Subject: Re: [Samba] Keytabs (obviously) not valid
>>after password change </div><div>
>></div>I am running 4.1.9, with the keytab exported using
>>samba-tool and placed on
>>/etc/krb5.keytab
>>
>>It looked strange that this has been barely mentioned on the
>>lists. Some
>>misconfiguration on my side maybe?
>>
>>Steve, do you have "kerberos method" set on your member servers?
>>
>>Best regards,
>>
>>George
>>
>>On Sun, Aug 17, 2014 at 7:24 AM, steve <steve at steve-ss.com> wrote:
>>
>>> On Sun, 2014-08-17 at 00:12 -0300, George wrote:
>>> > every
>>> > 7 days Samba changes the machine account password which
>>drives the keytab
>>> > unusable.
>>>
>>> Hi
>>> 4.1.7 AD with sssd 1.12.0
>>> We don't observe that behaviour. sssd uses the machine key
>>of the box it
>>> is running upon. Our Linux machines have been up months
>with the same
>>> keytab. Maybe something has changed recently? Anyone else?
>>> Cheers,
>>> Steve
>>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list