[Samba] sssd keytab bug
William Stuart
william at hae.com
Thu Mar 24 17:55:14 UTC 2016
Hello,
This one is nasty...
I followed the documentation on configuring sssd:
https://wiki.samba.org/index.php/Sssd
In the section on extracting the keytab, it says:
- Extract the keytab for a domain account (you can use the machines[sic]
account for that, too) and make sure it is readable only by root. The
following example uses the machine account of the host „DC1“
So, I used the keytab for my domain controller, and shared it will a couple
of file servers. Here is the really bizarre thing, if I use the DC's
keytab, and I configure sssd to a DC other than the DC the keytab file is
from, it will update the DC's ip address in DNS to the fileserver's ip
address.
Let me give you an example:
- Use DC1 to create keytab: "samba-tool domain exportkeytab
/etc/krb5.sssd.keytab --principal=dc1$"
- configure sssd to point to DC2 on FS1:
[sssd]
config_file_version = 2
domains = DOMAIN.COM
services = nss, pam
debug_level=6
[domain/DOMAIN.COM]
enumerate = true
ad_domain = DOMAIN.COM
krb5_realm = DOMAIN.COM
cache_credentials = True
id_provider = ad
ad_hostname = dc2.domain.com
ad_server = dc2.domain.com
ad_domain = domain.com
ldap_id_mapping = False
access_provider = ad
krb5_keytab=/etc/krb5.sssd.keytab
debug_level=6
- service sssd restart
- Now, DC2 has it's A record changed to match the IP address of FS1
Took me a week to figure out this was going on. Using the principal of the
file server does not trigger this bug. Please add a note to the sssd wiki
page recommending the *file server's* machine account.
This occurs in Samba 4.3.4 and Samba 4.4.0. My version of sssd is
1.12.4-47.el6_7.7 running on CentOS 6.7.
More information about the samba
mailing list