[Samba] sssd keytab bug

William Stuart william at hae.com
Thu Mar 24 17:55:14 UTC 2016


This one is nasty...

I followed the documentation on configuring sssd:

In the section on extracting the keytab, it says:

   - Extract the keytab for a domain account (you can use the machines[sic]
   account for that, too) and make sure it is readable only by root. The
   following example uses the machine account of the host „DC1“

So, I used the keytab for my domain controller, and shared it will a couple
of file servers.  Here is the really bizarre thing, if I use the DC's
keytab, and I configure sssd to a DC other than the DC the keytab file is
from, it will update the DC's ip address in DNS to the fileserver's ip

Let me give you an example:

   - Use DC1 to create keytab: "samba-tool domain exportkeytab
   /etc/krb5.sssd.keytab --principal=dc1$"
   - configure sssd to point to DC2 on FS1:


config_file_version = 2

domains = DOMAIN.COM

services = nss, pam



enumerate = true

ad_domain = DOMAIN.COM

krb5_realm = DOMAIN.COM

cache_credentials = True

id_provider = ad

ad_hostname = dc2.domain.com

ad_server = dc2.domain.com

ad_domain = domain.com

ldap_id_mapping = False

access_provider = ad



   - service sssd restart
   - Now, DC2 has it's A record changed to match the IP address of FS1

Took me a week to figure out this was going on.  Using the principal of the
file server does not trigger this bug.  Please add a note to the sssd wiki
page recommending the *file server's* machine account.

This occurs in Samba 4.3.4 and Samba 4.4.0.  My version of sssd is
1.12.4-47.el6_7.7 running on CentOS 6.7.

More information about the samba mailing list