[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
Rowland Penny
rowlandpenny at googlemail.com
Wed Dec 31 02:56:21 MST 2014
On 31/12/14 08:58, Alessandro Briosi wrote:
>>> Hi, how have you setup the fileserver ?
>>> Is it joined to the domain ?
>>> Can you post your fileservers smb.conf
>
>>> Rowland
>
> OT: Oops, wasn't subscribed to the mailing list :)
>
> Yes, server is joined to the domain (otherwise I would not be able to
> generate the principal)
>
> Server configuration is following (only global part), winbind config
> is there because it was used before sssd (I had troubles with library
> paths on CentOS 7 and sssd)
>
> [global]
> workgroup = DOMAIN
> realm = AD.DOMAIN.NET
> security = ads
> idmap config * : range = 16777216-33554431
> template shell = /sbin/nologin
> kerberos method = secrets only
> netbios name = srvfile1
> netbios aliases = srvfile
> reset on zero vc = yes
>
> server string =
> encrypt passwords = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 10000-20000
> idmap config DOMAIN:backend = ad
> idamp config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 0-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind offline logon = false
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> create mask = 0770
OK, you can get winbind to update your keytab, you need to alter your
smb.conf slightly. You need to change 'kerberos method = secrets only'
to either 'kerberos method = secrets and keytab' or 'kerberos method =
system keytab' and add the line
'dedicated keytab file = /etc/krb5.keytab'.
You also have a line twice, 'idmap config * : range = 16777216-33554431'
and 'idmap config *:range = 10000-20000', you really shouldn't start the
'DOMAIN' range with '0', it also overlaps with the second 'idmap config
*:range'.
Remember to restart samba after making the changes.
Rowland
More information about the samba
mailing list