[Samba] Problem with "kerberos method = secrets and keytab"

Andreas Hauffe andreas.hauffe at tu-dresden.de
Fri Feb 13 03:26:26 MST 2015

Hi Peter,

thanks for your hints. The point is, that no /etc/krb5.conf was generated automatically when 
joining the domain (told in the wiki). Now I generated one manually and now it works.

I'm not frustrated at all. I see a lot of advantages for me, even if it doesn't work. Right now we 
have a system with Bind9, OpenLDAP, Kerberos, NFS4, Samba3 on the server side. I had to 
configere each service separatly and then make them work together.

Now all is one service with one wiki and one mailing list, if I'm having trouble. The different 
services inside Samba4 already work together. And up to now I always got a feedback from the 
samba mailing list. So everything is fine! Thanks to all!!

Viele Grüße
Andreas Hauffe

Am Donnerstag, 12. Februar 2015, 01:04:59 schrieb Peter Serbe:
> Hi Andreas,
> I convinced Rowland to change the wiki like that. You might want to check
> out the thread "Samba4 and sssd, keytab file expires?". Read it, and You
> will understand its implications. Even if it works now, it doesn't mean
> that it will work for long...
> The first thing I would check is the kerberos setup. I would also check,
> whether DNS is OK for both forward and backward directions. Then I would
> either check sssd or winbind (depending on Your installation). It might
> be worthwhile to do all the checks without the offending entry in smb.conf.
> Best regards
> Peter
> PS: it can be pretty frustrating to get it working for the first time.
> But then it is rock solid. It might be a good idea to jump to 4.2.0rc4 -
> nearly all known bugs are fixed... (some might disagree, I am sure...).
> Do You plan to use RFC2307?
> Andreas Hauffe schrieb am 11.02.2015 16:39:
> > Hi,
> > 
> > I'm using the smb.conf from
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> > to add a member server as file server to the domain.
> > 
> > If I'm using the original smb.conf with "kerberos method = secrets and
> > keytab", I'm not able to see any share on a Windows Client in the domain.
> > If I use the default "kerberos method = secrets" everything works.
> > 
> > Does anyone have an idea why this happens?
> > 
> > And can someone tell me, why there is a "dedicated keytab file =
> > /etc/krb5.keytab" in the smb.conf. I read that the system keytab is used
> > if
> > "kerberos method = secrets and keytab" was chosen?

More information about the samba mailing list