[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 15 04:14:15 MST 2015

On 15/01/15 10:48, Peter Serbe wrote:
> Hi Rowland,
> this posting ended a lot of grief I had with expired keytabs.
> While this is presumably an issue of sssd, I have no chance to
> attack the issue right at its root*). But rejoining the domain
> with the lines
>     dedicated keytab file = /etc/krb5.memberserver.keytab
>     kerberos method = secrets and keytab
>     winbind refresh tickets = Yes
> seems to fix it. Phew...
> Maybe You or someone else could put this information in the
> samba wiki. I posted my problem on the mailing list in mid
> December, but didn't get a single response. But here is the
> solution...
> So: Thank You again!
> Best regards
> Peter
> *) I am on Debian Jessie using Jessie's sssd 1.11.7-2.
> This version of sssd is pretty old, but, well, this is
> Debian. Compiling sssd on Debian is next to impossible.
> At least for me: no luck.
> Rowland Penny schrieb am 31.12.2014 18:24:
>> On 31/12/14 15:48, Alessandro Briosi wrote:
>>> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>>>> OK, you can get winbind to update your keytab, you need to alter your
>>>>>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>>>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>>>>>> system keytab' and add the line
>>>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
>>>>> smb.conf
>>>> Alessandro said to use sssd in the original post. Didn't use that so
>>>> far, but I don't have any evidence that it would read winbind settings
>>>> from smb.conf.
>>>> Regards,
>>>>   - lars.
>>> Exactly, winbind is not used. It was used as a start, but would prefer
>>> to use sssd.
>>> What I'm not sure is why the kerberos keytab file expires. This does
>>> not happen on the DC, but only on this member server.
>>> I might schedule a script to update the keytab file, though I'm not
>>> sure that's the expected behaviour.
>>> Ciao,
>>> Alessandro
>> It expires because it was not created on the member server, having said
>> that, sssd should be able to update the keytab, I would suggest that
>> sssd is not setup correctly and as such, I think that you need to take
>> this problem to the sssd mailing list.
>> If you decide to use winbind, which I can assure you will work, this can
>> be set up to do what you need, see my previous posts
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
I have update the member server page on the wiki as per Peters advice.


More information about the samba mailing list