[Samba] sssd keytab bug
Sketch
smblist at rednsx.org
Thu Mar 24 18:16:26 UTC 2016
On Thu, 24 Mar 2016, William Stuart wrote:
> So, I used the keytab for my domain controller, and shared it will a couple
> of file servers. Here is the really bizarre thing, if I use the DC's
> keytab, and I configure sssd to a DC other than the DC the keytab file is
> from, it will update the DC's ip address in DNS to the fileserver's ip
> address.
I believe you are telling it to do this:
> [sssd]
> ad_hostname = dc2.domain.com
> ad_server = dc2.domain.com
>
> - service sssd restart
> - Now, DC2 has it's A record changed to match the IP address of FS1
ad_server tells sssd the server(s) to connect to for authentication
services. ad_hostname sets the _local_ machine's hostname. Setting
ad_hostname is probably triggering a dynamic DNS update to set
dc2.domain.com to FS1's IP address.
That said, I haven't tested this as I use the sssd-ldap provider rather
than ad, because the ad provider did not exist in CentOS 6.5 when I
initially set up my current domain.
One other thing that stands out as odd to me here:
> Let me give you an example:
>
> - Use DC1 to create keytab: "samba-tool domain exportkeytab
> /etc/krb5.sssd.keytab --principal=dc1$"
> - configure sssd to point to DC2 on FS1:
If you're pointing sssd at DC2, wouldn't it make more sense to export the
credentials for DC2, rather than DC1? Or even better, export all of your
DC's credentials to the same keytab file. This way, if you ever replace
one, sssd will continue to function properly. You can export multiple
credentials to the same file by running the same command and changing the
--principal option. Each run will append to the existing file rather than
overwriting it with a new one.
More information about the samba
mailing list