[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 31 05:28:14 MST 2014 

On 31/12/14 09:56, Rowland Penny wrote:
> On 31/12/14 08:58, Alessandro Briosi wrote:
>>>> Hi, how have you setup the fileserver ?
>>>> Is it joined to the domain ?
>>>> Can you post your fileservers smb.conf
>>
>>>> Rowland
>>
>> OT: Oops, wasn't subscribed to the mailing list :)
>>
>> Yes, server is joined to the domain (otherwise I would not be able to 
>> generate the principal)
>>
>> Server configuration is following (only global part), winbind config 
>> is there because it was used before sssd (I had troubles with library 
>> paths on CentOS 7 and sssd)
>>
>> [global]
>>    workgroup = DOMAIN
>>    realm = AD.DOMAIN.NET
>>    security = ads
>>    idmap config * : range = 16777216-33554431
>>    template shell = /sbin/nologin
>>    kerberos method = secrets only
>>    netbios name = srvfile1
>>    netbios aliases = srvfile
>>    reset on zero vc = yes
>>
>>    server string =
>>    encrypt passwords = yes
>>
>>    load printers = no
>>    printing = bsd
>>    printcap name = /dev/null
>>    disable spoolss = yes
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 10000-20000
>>    idmap config DOMAIN:backend = ad
>>    idamp config DOMAIN:schema_mode = rfc2307
>>    idmap config DOMAIN:range = 0-40000
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind offline logon = false
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = Yes
>>    store dos attributes = Yes
>>    create mask = 0770
>
> OK, you can get winbind to update your keytab, you need to alter your 
> smb.conf slightly. You need to change 'kerberos method = secrets only' 
> to either 'kerberos method = secrets and keytab' or 'kerberos method = 
> system keytab' and add the line
>
> 'dedicated keytab file = /etc/krb5.keytab'.
>
> You also have a line twice, 'idmap config * : range = 
> 16777216-33554431' and 'idmap config *:range = 10000-20000', you 
> really shouldn't start the 'DOMAIN' range with '0', it also overlaps 
> with the second 'idmap config *:range'.
>
> Remember to restart samba after making the changes.
>
> Rowland
>

OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to smb.conf

Rowland

More information about the samba mailing list