[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?

Peter Serbe peter at serbe.ch
Thu Jan 15 03:48:32 MST 2015 

Hi Rowland, 

this posting ended a lot of grief I had with expired keytabs. 
While this is presumably an issue of sssd, I have no chance to 
attack the issue right at its root*). But rejoining the domain 
with the lines

   dedicated keytab file = /etc/krb5.memberserver.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes

seems to fix it. Phew... 

Maybe You or someone else could put this information in the 
samba wiki. I posted my problem on the mailing list in mid 
December, but didn't get a single response. But here is the 
solution...

So: Thank You again!

Best regards
Peter


*) I am on Debian Jessie using Jessie's sssd 1.11.7-2. 
This version of sssd is pretty old, but, well, this is 
Debian. Compiling sssd on Debian is next to impossible. 
At least for me: no luck. 



Rowland Penny schrieb am 31.12.2014 18:24:

> On 31/12/14 15:48, Alessandro Briosi wrote:
>> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>>> OK, you can get winbind to update your keytab, you need to alter your
>>>>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>>>>> system keytab' and add the line
>>>>>
>>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>>
>>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to 
>>>> smb.conf
>>>
>>> Alessandro said to use sssd in the original post. Didn't use that so
>>> far, but I don't have any evidence that it would read winbind settings
>>> from smb.conf.
>>>
>>> Regards,
>>>  - lars.
>>
>> Exactly, winbind is not used. It was used as a start, but would prefer 
>> to use sssd.
>>
>> What I'm not sure is why the kerberos keytab file expires. This does 
>> not happen on the DC, but only on this member server.
>>
>> I might schedule a script to update the keytab file, though I'm not 
>> sure that's the expected behaviour.
>>
>> Ciao,
>> Alessandro
> 
> It expires because it was not created on the member server, having said 
> that, sssd should be able to update the keytab, I would suggest that 
> sssd is not setup correctly and as such, I think that you need to take 
> this problem to the sssd mailing list.
> 
> If you decide to use winbind, which I can assure you will work, this can 
> be set up to do what you need, see my previous posts
> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list