[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 1 03:39:00 MST 2015

On 01/01/15 10:22, Alessandro Briosi wrote:
> Il 2014-12-31 18:24 Rowland Penny ha scritto:
>> It expires because it was not created on the member server, having
>> said that, sssd should be able to update the keytab, I would suggest
>> that sssd is not setup correctly and as such, I think that you need to
>> take this problem to the sssd mailing list.
>> If you decide to use winbind, which I can assure you will work, this
>> can be set up to do what you need, see my previous posts
>> Rowland
> Ok, thanks for the clarification.
> Winbind works, it was working before (and there's no need for the 
> keytab as it's a member server, imho).
> I'll try generating the keytab on the member server.
> Regards,
> Alessandro

Hi, if you have these two lines in smb.conf:

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

Remove /etc/krb5.keytab (if it exists), Leave the domain, then re-join 
the domain, the keytab should be created for you (well it always has 
been for me).

If you also have: 'winbind refresh tickets = Yes' in smb.conf, then 
winbind will keep the keytab updated.


More information about the samba mailing list