[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?

Dr. Lars Hanke lars at lhanke.de
Wed Dec 31 11:50:41 MST 2014


Am 31.12.2014 um 16:48 schrieb Alessandro Briosi:
> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>> OK, you can get winbind to update your keytab, you need to alter your
>>>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>>>> system keytab' and add the line
>>>>
>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>
>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
>>> smb.conf
>>
>> Alessandro said to use sssd in the original post. Didn't use that so
>> far, but I don't have any evidence that it would read winbind settings
>> from smb.conf.
>>
>> Regards,
>>  - lars.
>
> Exactly, winbind is not used. It was used as a start, but would prefer
> to use sssd.
>
> What I'm not sure is why the kerberos keytab file expires. This does not
> happen on the DC, but only on this member server.
>
> I might schedule a script to update the keytab file, though I'm not sure
> that's the expected behaviour.

Have a look at k5start. This is a daemon, which is made exactly for this 
purpose. Maybe it is even installed on the DC due to different package 
dependencies of the distro.

Regards,
  - lars.




More information about the samba mailing list