[Samba] Advantage of 'kerberos method = secrets and keytab' over 'kerberos method = system keytab'

L.P.H. van Belle belle at bazuin.nl
Tue Dec 18 09:35:43 UTC 2018

My question also, im not really clear with the "kerberos method" options. 

In my opinion. I cant think of much that does not need the /etc/krb5.keytab file. 
So i really pro, always having the krb5.keytab file, because it makes life more easy. 

If you only use winbind auth that might be an advantage of system (in-memory) keytab. 
But i need some practical examples for on the settings first, because i'm not 100% sure 
in what all dis-advantages and advantages are. 

About the "login hickup at 10 hour service ticket expiration problem" 
Your 100% nothing in the network is causing this..
I've seen the problem on the list of you, i'll have an other look at it. 

You can try the following. If you now using system keytab. Set this and see if it works. 

    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab

! Dont forget, you need to have krb5.keytab extracted from AD. 

If you dont have any krb5.keytab file. 
kinit Adminsitrator 
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P

If you have, whats in it? 

But please do test this on a test server and not your production. 
If you go test on the production make sure you have good backups of the samba.



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Peter Eriksson via samba
> Verzonden: dinsdag 18 december 2018 10:05
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Advantage of 'kerberos method = secrets 
> and keytab' over 'kerberos method = system keytab'
> A question regarding the “kerberos method” configuration 
> option in smb.conf:
> Are there any practical differences between using ’secrets 
> and keytab’ and ’system keytab’?
> I’ve been running Samba servers using both methods for a long 
> time and both seems to work more or less fine, but since 
> we’re having this “login hickup at 10 hour service ticket 
> expiration problem” I’m trying to find out if this might be 
> one thing that is causing our problems? (Our production 
> servers where we see this problem are using ’system keytab’).
> I’ve been trying to find some information if one gives some 
> advantages over the other but so far has come up empty…
> Which one is the preferred setting?
> - Peter
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list