[Samba] wiki change request. page missing in index.
L.P.H. van Belle
belle at bazuin.nl
Tue Aug 8 14:39:51 UTC 2017
Im notice the following.
When you go to :
https://wiki.samba.org/index.php/User_Documentation
search site: keytab, nothing :-(
I cant find anything about keytabs.. ( not on the first sight ), which i needed...
but there is this page, ( google was your friend ) : https://wiki.samba.org/index.php/Generating_Keytabs
Can someone add this in the Advanced section and make change where needed.
after this part, or if you have a better place, but its usefull info imho.
........
This should print something like this:
'ACCOUNTNAME' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
-------- ^^^^ already on wiki -----
A sAMAccount name can be the hostname of a computer
Then you use: net ads enctypes set HOSTNAME$
! Point of attention: HOSTNAME$.
The hostname in "how its defined in your smb.conf, and after you checked the current keytab file.
(klist -ke or klist -ke /path_to/your.keytab_file)
If the hostname is lowercased, and the netbios name is UPPERCASED, your auth wil fail.
for example :
kinit -k hostname$ /etc/krb5.keytab not working
but :
kinit -k HOSTNAME$ /etc/krb5.keytab working
Howto use these settings in smb.conf, also a point of attention, this example is not the samba default:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
Please read man smb.conf so you know what these 2 setting exact do.
For example, dedicated keytab file setting is used for example when you also need extra UPN/SPN's.
This depend on how you use it and how you configure it. NFS is such example.
The hostname used also in smb.conf : netbios name = .....
The default is adapt the hostname of the server ( in caps ).
( check: testparm -vs | grep "netbios name" )
check you keytab file.
klist -ke |sort ( use sort because is make it easier to see where what is missing, for example to check if you have 5 encryption types. )
net ads keytab create ( used on a domain member )
This recreates the keytab file, based on the location of dedicated keytab file, in this example, /etc/krb5.keytab
backup your old keytab file, stop samba/winbind , and recreate the new one.
If you did not define dedicated keytab file, the keytab file is in /var/lib/samba/private/secret.keytab (on debian)
! Tip, if you add UPN/SPN's an account, ( for example HOSTNAME$ )
the recreated the keytab now also contains you new SPN/UPN.
check again if all encryptions are there.
and chech you rights on the keytab file.
chmod 640 /etc/krb5.keytab ( its created on debian with 600, i need 640 )
Greetz,
Louis
More information about the samba
mailing list