[Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member

Rowland Penny rpenny at samba.org
Mon Dec 17 16:23:48 UTC 2018 

On Mon, 17 Dec 2018 16:54:03 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> 
> Ok, but then, with the setting, `kerberos method = secrets and
> keytab` it's only more confusing. 
> 
> A small re-cap.
> secrets only - use only the secrets.tdb for ticket verification
> (default)  
> - this is clear how its used. 
> 
> system keytab - use only the system keytab for ticket
> verification	
> - this description here might be better off with something like this. 
> system keytab - use only the system (in memory) keytab for ticket
> verification.
> 
> dedicated keytab - use a dedicated keytab for ticket verification
> (preffered the OS default) 
> 	- ( for debian/ubuntu /etc/krb5.keytab )


Yes, apart from mentioning any OS defaults, that's the OS's job ;-)

> 
> secrets and keytab - use the secrets.tdb first, then the system (in
> memory) keytab But now i can't explain the mix of  `dedicated keytab`
> and `secrets and keytab`  anymore. 
> 
> Here : secrets and keytab 
> Keytab points to in-memory and/or file keytab?? , at least thats how
> i thought it did work. 

From my understanding (which may be limited) it might be be better as
'secrets and keytabs' i.e. try everything.

> 
> > 
> > > kerberos method = dedicated keytab
> > >   can be : AnyPath/to/keytabfile.
> > > kerberos method = secrets and keytab - use the secrets.tdb first,
> > > then the system keytab
> > > 
> > > I think we should define "system keytab" a bit beter in smb.conf.
> > 
> > You are probably right Louis, want to make this your first patch as
> > a Samba team member ?
> Well thats maybe a bit too early..  ;-) learn about gitlab more
> first. And if its happens, you be the first to review my typos. :-)) 

OK, I will introduce more typo's ;-)

> 
> >   
> > > 
> > > So yeah, you might say, `kerberos method = secrets and keytab`
> > > should work fine without the setting :
> > 
> > Yes it will, but anything else that needs an actual keytab wont.
> 
> In this line "method = secrets and keytab"
> The word `keytab` referres to ? Memory keytab or file, or both. 

Both

> 
> Because it looks like only memory but it does use
> the /etc/krb5.keytab also. So this is not correctly defined..  and
> since im not not sure anymore how it uses the combination of the
> settings, i need to understand the combination better for before i
> can describe it. Following that part of code is to hard for me. 

Yes, it is a bit spaghetti like ;-)
From experience, things work that are not in krb5.keytab and things
that are in krb5.keytab work until the keytab is removed.

Rowland

More information about the samba mailing list