[Samba] Samba4 and sssd, keytab file expires?
tsdogs at briosix.org
Mon Dec 29 10:29:05 MST 2014
I have the following setup:
1st dc is on CentOS 6 with Sernet samba 4.1.13
2nd dc is on Debian 7 with Sernet samba 4.1.13
The 2 dc work as expected.
on CentOS I was able to configure sssd to work
on Debian I'm using winbind
Now I have a 3rd server which is CentOS 7 with samba 4.1.1 from CentOS
This system serves as a file server and works ok with samba, but I have
a few other services (ftp, ssh) which rely on sssd 1.11.2
I dumped the krb key file from the 1st dc but with the name of the file
server (as CentOS 7 does not have samba-tool command), then copied it
over. (command is "samba-tool domain exportkeytab krb5.sssd.keytab
sssd on this last server is working for a few days, then it stops
autenticating system users (ftp, ssh, etc)
In the logs I get :
[sssd[ldap_child]]: Failed to initialize credentials using keytab
[/etc/sssd/krb5.sssd.keytab]: Preauthentication failed. Unable to create
GSSAPI-encrypted LDAP connection.
[sssd[ldap_child]]: Preauthentication failed
Even if I restart the service things don't change. The only solution I
have found so far is regenerating the keytab file.
It seems that the kerberos principal expires. Is this normal?
Funny thing is that on the 1st dc I am using sssd too and ssh logins
work as expected (no need to change the keytab file).
Anyone seen this before?
Thanks for your help.
More information about the samba