[Samba] Samba and keytab file creation

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Mar 30 00:52:27 UTC 2017

I am working on trying to set up Solaris 11 and Linux clients as Samba domain members with a Win 2008 AD domain controller/directory server.  I am also trying to configure   Kerberos for unix level authentication.  

I am unclear if Samba can create a keytab file or only use a previously created on.

With solaris, there is "kclient" command  that creates the machine account on the server and then creates a krb5.keytab on the client machine.    As per earlier e-mails I found that with Solaris, I found that the Kerberos client and Samba (4.4.8)  expected different locations for the krb5.keytab file.   Both the samba "net join" and the solaris "kclient"   command will update the computer account password, which requires that Kerberos client and samba use the same keytab file.  

Setting the following in smb.conf on solaris smb.conf didn't seem have an effect. 

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = dedicated keytab

On Linux (Fedora Core 25, Samba 4.5.6)  I am trying to figure out if/how I can get Samba to create the krb5.keytab file.   By default it doesn't create one.

I set 
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = dedicated keytab

in the smb.conf BUT no file gets created when I join the domain.    (The machine account is created in the AD domain.)   

Setting the following in smb.conf doesn't seem to help either

	kerberos method = system keytab

The ktpass utility on Windows is very limited when trying to create a keytab file with multiple service principals.  

I appreciate any advice.


-----Original Message-----
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] 
Sent: Tuesday, March 21, 2017 8:57 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Joining Samba4 to Win 2008 AD domain breaks other kerberos functions

On 03/16/17 15:01, Rowland Penny via samba wrote:
> On Thu, 16 Mar 2017 14:48:01 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>> Samba expects the keytab file as /etc/krb5.keytab.
>> Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab
>> When samba joins the domain it (probably) updates the machine
>> password and then updates its krb5.keytab file.       When connecting
>> via ssh, the system would use a keytab file that had the wrong kvno 
>> and probably the wrong password key.
>> The following symlink command fixed ssh logins
>>       ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab
> Did you try:
> kerberos method = dedicated keytab
> dedicated keytab file = /etc/krb5/krb5.keytab
> Rowland

I did.  It seemed to be ignored.    When I join samba to a domain, I 
don't know if it will update an existing keytab file or overwrite 
it.      The symlink seemed an easy workaround.

More information about the samba mailing list