[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?
Rowland Penny
rowlandpenny at googlemail.com
Wed Dec 31 10:24:03 MST 2014
On 31/12/14 15:48, Alessandro Briosi wrote:
> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>> OK, you can get winbind to update your keytab, you need to alter your
>>>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>>>> system keytab' and add the line
>>>>
>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>
>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
>>> smb.conf
>>
>> Alessandro said to use sssd in the original post. Didn't use that so
>> far, but I don't have any evidence that it would read winbind settings
>> from smb.conf.
>>
>> Regards,
>> - lars.
>
> Exactly, winbind is not used. It was used as a start, but would prefer
> to use sssd.
>
> What I'm not sure is why the kerberos keytab file expires. This does
> not happen on the DC, but only on this member server.
>
> I might schedule a script to update the keytab file, though I'm not
> sure that's the expected behaviour.
>
> Ciao,
> Alessandro
It expires because it was not created on the member server, having said
that, sssd should be able to update the keytab, I would suggest that
sssd is not setup correctly and as such, I think that you need to take
this problem to the sssd mailing list.
If you decide to use winbind, which I can assure you will work, this can
be set up to do what you need, see my previous posts
Rowland
More information about the samba
mailing list