[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 31 10:24:03 MST 2014

On 31/12/14 15:48, Alessandro Briosi wrote:
> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>> OK, you can get winbind to update your keytab, you need to alter your
>>>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>>>> system keytab' and add the line
>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to 
>>> smb.conf
>> Alessandro said to use sssd in the original post. Didn't use that so
>> far, but I don't have any evidence that it would read winbind settings
>> from smb.conf.
>> Regards,
>>  - lars.
> Exactly, winbind is not used. It was used as a start, but would prefer 
> to use sssd.
> What I'm not sure is why the kerberos keytab file expires. This does 
> not happen on the DC, but only on this member server.
> I might schedule a script to update the keytab file, though I'm not 
> sure that's the expected behaviour.
> Ciao,
> Alessandro

It expires because it was not created on the member server, having said 
that, sssd should be able to update the keytab, I would suggest that 
sssd is not setup correctly and as such, I think that you need to take 
this problem to the sssd mailing list.

If you decide to use winbind, which I can assure you will work, this can 
be set up to do what you need, see my previous posts


More information about the samba mailing list