[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
rowlandpenny at googlemail.com
Wed Dec 31 05:28:14 MST 2014
On 31/12/14 09:56, Rowland Penny wrote:
> On 31/12/14 08:58, Alessandro Briosi wrote:
>>>> Hi, how have you setup the fileserver ?
>>>> Is it joined to the domain ?
>>>> Can you post your fileservers smb.conf
>> OT: Oops, wasn't subscribed to the mailing list :)
>> Yes, server is joined to the domain (otherwise I would not be able to
>> generate the principal)
>> Server configuration is following (only global part), winbind config
>> is there because it was used before sssd (I had troubles with library
>> paths on CentOS 7 and sssd)
>> workgroup = DOMAIN
>> realm = AD.DOMAIN.NET
>> security = ads
>> idmap config * : range = 16777216-33554431
>> template shell = /sbin/nologin
>> kerberos method = secrets only
>> netbios name = srvfile1
>> netbios aliases = srvfile
>> reset on zero vc = yes
>> server string =
>> encrypt passwords = yes
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>> idmap config *:backend = tdb
>> idmap config *:range = 10000-20000
>> idmap config DOMAIN:backend = ad
>> idamp config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 0-40000
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind offline logon = false
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>> create mask = 0770
> OK, you can get winbind to update your keytab, you need to alter your
> smb.conf slightly. You need to change 'kerberos method = secrets only'
> to either 'kerberos method = secrets and keytab' or 'kerberos method =
> system keytab' and add the line
> 'dedicated keytab file = /etc/krb5.keytab'.
> You also have a line twice, 'idmap config * : range =
> 16777216-33554431' and 'idmap config *:range = 10000-20000', you
> really shouldn't start the 'DOMAIN' range with '0', it also overlaps
> with the second 'idmap config *:range'.
> Remember to restart samba after making the changes.
OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to smb.conf
More information about the samba