[Samba] DRS stopped working after upgrade from debian Jessie to Stretch
Andrew Bartlett
abartlet at samba.org
Tue Jun 20 19:29:08 UTC 2017
On Tue, 2017-06-20 at 10:35 +0200, L.P.H. van Belle via samba wrote:
> Hai,
>
> Just saying samba does not use /etc/krb5.keytab is not totaly correct.
As an AD DC, we don't use it.
> A lot of setups use the setting : dedicated keytab file = /etc/krb5.keytab
> Because systemd defaults point to /etc/krb5.keytab.
Sure, but that is not used by the AD DC.
> From his logs:
> Failed to find
> FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
>
> And from his command (klist -k : Keytab name: FILE:/etc/krb5.keytab ) the above server is found.
> Only the HOST/SPN entry is missing.
>
> This looks like that :
> dedicated keytab file = /etc/krb5.keytab
> was in smb.conf but is gone now, or a symlink is replaced by a keytab file /etc
> I suspect last one due to the upgrade.
I'm not disputing that the OP may have copied the keytab. It still
won't change what path the Samba AD DC will use.
> In this case, export the spn's again and check if host/spn and NETBIOSNAME$@SPN exist.
> use ktutil to import all entries from both keytab files and export the one you need back.
That won't change Samba to use /etc/krb5.keytab as an AD DC, nor should
it. It might impact if NFS is in operation, but that is a secondary
task at this point.
I'm being so blunt because:
- Samba is internally inconsistent on this point
and
- Samba folklore spreads like wildfire
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list