[Samba] samba rotates keytabs without telling apache
Rowland Penny
rpenny at samba.org
Wed Nov 22 12:53:11 UTC 2017
On Wed, 22 Nov 2017 13:07:09 +0100
Herman Øie Kolden via samba <samba at lists.samba.org> wrote:
> Hello!
>
> Our organization has since June had problems with samba on our web
> server incrementing keytab version numbers every month - precisely
> every month. Since apache2 with mod_auth_kerb isn't made aware of
> this, all our web sites go 503. The manual solution has been
> exporting new keytabs and reloading apache, but we haven't figured
> out why the KVNOS are incremented in the first place.
>
> Some googling suggests "kerberos method = secrets and keytab", but
> this has not resolved the problem. Is this a known issue? Any
> suggestions for debugging? The log level has been 1 while this has
> been happening. It is now set to 2, but since there is month until
> next problem nothing interesting has showed up in the logs (log.smbd)
> yet.
>
> KDC packages: Debian stretch 9.1, linux 4.9.0-3-amd64, samba
> 2:4.5.8+dfsg-2+deb9u1+b1 Web server packages: Debian stretch 9.1,
> linux 4.11.8, samba 2:4.5.12+dfsg-2 (different version
> unintentionally)
>
> Web server smb.conf:
>
> [global]
> workgroup = DOMAIN
> realm = AD.DOMAIN.COM
> security = ads
> kerberos method = secrets and keytab
> log level = 2
>
Is that the entire '[global]' portion of smb.conf ?
There doesn't seem to be anything with reference to authentication, are
you using sssd ?
If you are then can I suggest you try asking on the sssd-users mailing.
If you aren't using sssd, can we see the entire '[global]' portion and
does it include 'winbind refresh tickets = yes' ?
Rowland
More information about the samba
mailing list