[Samba] Samba4 and sssd, keytab file expires?

George jorgito1412 at gmail.com
Thu Jan 1 14:04:37 MST 2015


The short answer to this is that Samba changes the machine account password
every 7 days with the default settings.

As you were told, if you join the domain with "kerberos method = secrets
and keytab" on you smb.conf, the generated keytab won't expire.

Another workaround would be to set "machine password timeout = 0"

Best regards.

On Mon, Dec 29, 2014 at 2:29 PM, Alessandro Briosi <tsdogs at briosix.org>

> Hi all.
> I have the following setup:
> 1st dc is on CentOS 6 with Sernet samba 4.1.13
> 2nd dc is on Debian 7 with Sernet samba 4.1.13
> The 2 dc work as expected.
> on CentOS I was able to configure sssd to work
> on Debian I'm using winbind
> Now I have a 3rd server which is CentOS 7 with samba 4.1.1 from CentOS
> repository.
> This system serves as a file server and works ok with samba, but I have a
> few other services (ftp, ssh) which rely on sssd 1.11.2
> I dumped the krb key file from the 1st dc but with the name of the file
> server (as CentOS 7 does not have samba-tool command), then copied it over.
> (command is "samba-tool domain exportkeytab krb5.sssd.keytab
> --principal=$fileserver" )
> sssd on this last server is working for a few days, then it stops
> autenticating system users (ftp, ssh, etc)
> In the logs I get :
> [sssd[ldap_child[1179]]]: Failed to initialize credentials using keytab
> [/etc/sssd/krb5.sssd.keytab]: Preauthentication failed. Unable to create
> GSSAPI-encrypted LDAP connection.
> [sssd[ldap_child[1179]]]: Preauthentication failed
> Even if I restart the service things don't change. The only solution I
> have found so far is regenerating the keytab file.
> It seems that the kerberos principal expires. Is this normal?
> Funny thing is that on the 1st dc I am using sssd too and ssh logins work
> as expected (no need to change the keytab file).
> Anyone seen this before?
> Thanks for your help.
> Alessandro
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list