[Samba] Samba4 and sssd, keytab file expires?
Alessandro Briosi
tsdogs at briosix.org
Mon Dec 29 10:29:05 MST 2014
Hi all.
I have the following setup:
1st dc is on CentOS 6 with Sernet samba 4.1.13
2nd dc is on Debian 7 with Sernet samba 4.1.13
The 2 dc work as expected.
on CentOS I was able to configure sssd to work
on Debian I'm using winbind
Now I have a 3rd server which is CentOS 7 with samba 4.1.1 from CentOS
repository.
This system serves as a file server and works ok with samba, but I have
a few other services (ftp, ssh) which rely on sssd 1.11.2
I dumped the krb key file from the 1st dc but with the name of the file
server (as CentOS 7 does not have samba-tool command), then copied it
over. (command is "samba-tool domain exportkeytab krb5.sssd.keytab
--principal=$fileserver" )
sssd on this last server is working for a few days, then it stops
autenticating system users (ftp, ssh, etc)
In the logs I get :
[sssd[ldap_child[1179]]]: Failed to initialize credentials using keytab
[/etc/sssd/krb5.sssd.keytab]: Preauthentication failed. Unable to create
GSSAPI-encrypted LDAP connection.
[sssd[ldap_child[1179]]]: Preauthentication failed
Even if I restart the service things don't change. The only solution I
have found so far is regenerating the keytab file.
It seems that the kerberos principal expires. Is this normal?
Funny thing is that on the 1st dc I am using sssd too and ssh logins
work as expected (no need to change the keytab file).
Anyone seen this before?
Thanks for your help.
Alessandro
More information about the samba
mailing list