[Samba] Samba4 and sssd, keytab file expires?

Rowland Penny rowlandpenny at googlemail.com
Tue Dec 30 03:35:27 MST 2014

On 29/12/14 17:29, Alessandro Briosi wrote:
> Hi all.
> I have the following setup:
> 1st dc is on CentOS 6 with Sernet samba 4.1.13
> 2nd dc is on Debian 7 with Sernet samba 4.1.13
> The 2 dc work as expected.
> on CentOS I was able to configure sssd to work
> on Debian I'm using winbind
> Now I have a 3rd server which is CentOS 7 with samba 4.1.1 from CentOS 
> repository.
> This system serves as a file server and works ok with samba, but I 
> have a few other services (ftp, ssh) which rely on sssd 1.11.2
> I dumped the krb key file from the 1st dc but with the name of the 
> file server (as CentOS 7 does not have samba-tool command), then 
> copied it over. (command is "samba-tool domain exportkeytab 
> krb5.sssd.keytab --principal=$fileserver" )
> sssd on this last server is working for a few days, then it stops 
> autenticating system users (ftp, ssh, etc)
> In the logs I get :
> [sssd[ldap_child[1179]]]: Failed to initialize credentials using 
> keytab [/etc/sssd/krb5.sssd.keytab]: Preauthentication failed. Unable 
> to create GSSAPI-encrypted LDAP connection.
> [sssd[ldap_child[1179]]]: Preauthentication failed
> Even if I restart the service things don't change. The only solution I 
> have found so far is regenerating the keytab file.
> It seems that the kerberos principal expires. Is this normal?
> Funny thing is that on the 1st dc I am using sssd too and ssh logins 
> work as expected (no need to change the keytab file).
> Anyone seen this before?
> Thanks for your help.
> Alessandro

Hi, how have you setup the fileserver ?
Is it joined to the domain ?
Can you post your fileservers smb.conf


More information about the samba mailing list