L.P.H. van Belle belle at bazuin.nl
Mon Dec 17 14:38:02 UTC 2018


Good question Marco, now after re-reading it, i understand what you trying to say. 
How i did read it and understand it. 

dedicated keytab file (G)
   Specifies the absolute path to the kerberos keytab file when `kerberos method` is set to "dedicated keytab".
	When the kerberos method is in "dedicated keytab" mode, dedicated keytab file must be set to specify the location of the keytab file.

So you options are
	kerberos method = secret only	( the default.)  so no changes in smb.conf by default. 
	kerberos method = system keytab   	assumes the system default ( /etc/krb5.keytab ) 
	kerberos method = dedicated keytab   can be : AnyPath/to/keytabfile.
	kerberos method = secrets and keytab - use the secrets.tdb first, then the system keytab

I think we should define "system keytab" a bit beter in smb.conf. 

So yeah, you might say, `kerberos method = secrets and keytab` should work fine without the setting : dedicated keytab file
If thats not the case then we need 2 of these : kerberos method = secrets and keytab
kerberos method = secrets and system-keytab
kerberos method = secrets and dedicate-keytab

What i think, but i cant see it in the code, maybe Rowland can tell this. 

If we use : kerberos method = secrets and keytab 
system keytab and dedicated keytab are providing the same thing, the location to the keytab file.

And (from man smb.conf )
The major difference between "system keytab" and "dedicated keytab" is that the latter 
Method relies on kerberos to find the correct keytab entry instead of filtering based on expected principals.



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: maandag 17 december 2018 14:29
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member
> Mandi! Chris via samba
>   In chel di` si favelave...
> > 3. Default kerberos method is secrets only - use only the 
> secrets.tdb
> > for ticket verification. Why is this not sufficient? Why is
> > the /etc/krb5.keytab needed? It's not mentioned in the wiki 
> [1], but in
> > [3].
> > [3] 
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
> Seems strange also to me. reading the manpage:
> 	dedicated keytab file = /etc/krb5.keytab
> 	kerberos method = secrets and keytab
> are a bit incoherent settings; 'dedicated keytab file' is used if an
> only if 'kerberos method = dedicated keytab'.
> The page have to be cleanded up a bit?
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list