[Samba] sssd keytab bug

Sketch smblist at rednsx.org
Thu Mar 24 18:16:26 UTC 2016

On Thu, 24 Mar 2016, William Stuart wrote:

> So, I used the keytab for my domain controller, and shared it will a couple
> of file servers.  Here is the really bizarre thing, if I use the DC's
> keytab, and I configure sssd to a DC other than the DC the keytab file is
> from, it will update the DC's ip address in DNS to the fileserver's ip
> address.

I believe you are telling it to do this:

> [sssd]
> ad_hostname = dc2.domain.com
> ad_server = dc2.domain.com
>   - service sssd restart
>   - Now, DC2 has it's A record changed to match the IP address of FS1

ad_server tells sssd the server(s) to connect to for authentication 
services.  ad_hostname sets the _local_ machine's hostname.  Setting 
ad_hostname is probably triggering a dynamic DNS update to set 
dc2.domain.com to FS1's IP address.

That said, I haven't tested this as I use the sssd-ldap provider rather 
than ad, because the ad provider did not exist in CentOS 6.5 when I 
initially set up my current domain.

One other thing that stands out as odd to me here:

> Let me give you an example:
>   - Use DC1 to create keytab: "samba-tool domain exportkeytab
>   /etc/krb5.sssd.keytab --principal=dc1$"
>   - configure sssd to point to DC2 on FS1:

If you're pointing sssd at DC2, wouldn't it make more sense to export the 
credentials for DC2, rather than DC1?  Or even better, export all of your 
DC's credentials to the same keytab file.  This way, if you ever replace 
one, sssd will continue to function properly.  You can export multiple 
credentials to the same file by running the same command and changing the 
--principal option.  Each run will append to the existing file rather than 
overwriting it with a new one.

More information about the samba mailing list