[Samba] Generating keytab on a read-only file system

Taner Tas taner76 at gmail.com
Thu Dec 27 11:29:59 UTC 2018

> First, I suggest read :
> https://wiki.samba.org/index.php/Keytab_Extraction 

I did.

> Second, it his for
> a member or AD-DC? Thats because of the location of the keytab and
> the ad-dc creates its own keytab file. Thirth, are any other services
> going to use it? Last, root must be able to write the keytab file.
They're members. The intent is to auto join clients without manual
intervention by using a dedicated user's credentials. This user
only granted for adding computers to the desired OU. Diskless clients
will use same root fs over nfs. Hostnames will be generated dynamically
according to their MAC/IP.

> If you place the keytab in an other non-default location like : 
> With :  dedicated keytab file = /tmp/krb5.keytab
> Then dont forget the symlynk to /etc/krb5.keytab also. 
> Most client programs look at the default location /etc/krb5.keytab. 

As I mentioned in other message in thread, I figured it out by creating
a symbolic link pointing an empty krb5.keytab file which will be created
during boot at a writable location if it doesn't exist on first.

Create a symbolic link on root fs:
/etc/krb5.keytab -> /var/lib/samba/krb5.keytab
(/var/lib/samba folder is rw in this case)

During boot via custom initscrit:
[ -f /var/lib/samba/krb5.keytab ] || touch /var/lib/samba/krb5.keytab

The empty file must be created before samba and sssd services launched.

Btw, I have to mention that the samba packages in your repo doesn't
work with sssd packages on Stretch. Sssd quits with segfault. Due to
this, I switched back to the official Debian builds (4.5.12) in order
use sssd ad backend with samba. Probably sssd package suit must be
re-compiled against samba packages on van-belle repo.


Taner Tas

More information about the samba mailing list