[Samba] samba rotates keytabs without telling apache
Herman Øie Kolden
herman at samfundet.no
Wed Nov 22 12:07:09 UTC 2017
Hello!
Our organization has since June had problems with samba on our web server
incrementing keytab version numbers every month - precisely every month. Since
apache2 with mod_auth_kerb isn't made aware of this, all our web sites go 503.
The manual solution has been exporting new keytabs and reloading apache, but we
haven't figured out why the KVNOS are incremented in the first place.
Some googling suggests "kerberos method = secrets and keytab", but this has not
resolved the problem. Is this a known issue? Any suggestions for debugging? The
log level has been 1 while this has been happening. It is now set to 2, but
since there is month until next problem nothing interesting has showed up in
the logs (log.smbd) yet.
KDC packages: Debian stretch 9.1, linux 4.9.0-3-amd64, samba 2:4.5.8+dfsg-2+deb9u1+b1
Web server packages: Debian stretch 9.1, linux 4.11.8, samba 2:4.5.12+dfsg-2
(different version unintentionally)
Web server smb.conf:
[global]
workgroup = DOMAIN
realm = AD.DOMAIN.COM
security = ads
kerberos method = secrets and keytab
log level = 2
--
Herman Øie Kolden
ITK, Samfundet
More information about the samba
mailing list