[Samba] Samba4 and sssd, keytab file expires?

Alessandro Briosi tsdogs at briosix.org
Mon Dec 29 10:29:05 MST 2014

Hi all.
I have the following setup:

1st dc is on CentOS 6 with Sernet samba 4.1.13
2nd dc is on Debian 7 with Sernet samba 4.1.13

The 2 dc work as expected.

on CentOS I was able to configure sssd to work
on Debian I'm using winbind

Now I have a 3rd server which is CentOS 7 with samba 4.1.1 from CentOS 

This system serves as a file server and works ok with samba, but I have 
a few other services (ftp, ssh) which rely on sssd 1.11.2

I dumped the krb key file from the 1st dc but with the name of the file 
server (as CentOS 7 does not have samba-tool command), then copied it 
over. (command is "samba-tool domain exportkeytab krb5.sssd.keytab 
--principal=$fileserver" )

sssd on this last server is working for a few days, then it stops 
autenticating system users (ftp, ssh, etc)
In the logs I get :
[sssd[ldap_child[1179]]]: Failed to initialize credentials using keytab 
[/etc/sssd/krb5.sssd.keytab]: Preauthentication failed. Unable to create 
GSSAPI-encrypted LDAP connection.
[sssd[ldap_child[1179]]]: Preauthentication failed

Even if I restart the service things don't change. The only solution I 
have found so far is regenerating the keytab file.
It seems that the kerberos principal expires. Is this normal?
Funny thing is that on the 1st dc I am using sssd too and ssh logins 
work as expected (no need to change the keytab file).

Anyone seen this before?

Thanks for your help.

More information about the samba mailing list