[Samba] Generating keytab on a read-only file system

L.P.H. van Belle belle at bazuin.nl
Thu Dec 27 16:07:13 UTC 2018 

Small correction.  In the deb testing line 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: donderdag 27 december 2018 16:07
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Generating keytab on a read-only file system
> 
> Hai Taner, 
> 
> > -----Oorspronkelijk bericht-----
> > Van: Taner Tas [mailto:taner76 at gmail.com] 
> > Verzonden: donderdag 27 december 2018 12:30
> > Aan: L.P.H. van Belle via samba
> > CC: L.P.H. van Belle
> > Onderwerp: Re: [Samba] Generating keytab on a read-only file system
> > 
> > 
> > 
> > 
> > > First, I suggest read :
> > > https://wiki.samba.org/index.php/Keytab_Extraction 
> > 
> > I did.
> Great, sorry but we need to ask this. Most dont even know 
> about the wiki. 
> Good to see you do :-) 
> 
> > > Second, it his for
> > > a member or AD-DC? Thats because of the location of the keytab and
> > > the ad-dc creates its own keytab file. Thirth, are any 
> > other services
> > > going to use it? Last, root must be able to write the keytab file.
> > > 
> > They're members. The intent is to auto join clients without manual
> > intervention by using a dedicated user's credentials. This user
> > only granted for adding computers to the desired OU. 
> Diskless clients
> > will use same root fs over nfs. Hostnames will be generated 
> > dynamically according to their MAC/IP.
> > 
> > > If you place the keytab in an other non-default location like : 
> > > With :  dedicated keytab file = /tmp/krb5.keytab
> > > 
> > > Then dont forget the symlynk to /etc/krb5.keytab also. 
> > > Most client programs look at the default location 
> /etc/krb5.keytab. 
> > >
> > 
> > As I mentioned in other message in thread, I figured it out 
> > by creating
> > a symbolic link pointing an empty krb5.keytab file which will 
> > be created
> > during boot at a writable location if it doesn't exist on first.
> > 
> > Create a symbolic link on root fs:
> > /etc/krb5.keytab -> /var/lib/samba/krb5.keytab
> > (/var/lib/samba folder is rw in this case)
> > 
> > During boot via custom initscrit:
> > [ -f /var/lib/samba/krb5.keytab ] || touch 
> /var/lib/samba/krb5.keytab
> > 
> > The empty file must be created before samba and sssd services 
> > launched.
> 
> Hmm, i think its good that you read: 
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html 
> 
> Check  ProtectSystem= PrivateTmp=  ReadWritePaths=  
> And basicly the sandboxing part.
> 
> 
> > 
> > Btw, I have to mention that the samba packages in your repo doesn't
> > work with sssd packages on Stretch. Sssd quits with segfault. Due to
> > this, I switched back to the official Debian builds 
> (4.5.12) in order
> > use sssd ad backend with samba. Probably sssd package suit must be
> > re-compiled against samba packages on van-belle repo.
> 
> Yes, thats known, i've added a notice on the apt site, thank 
> you for pointing that out (again).
> Now, i've done a litlle check here and if you need sssd with 
> my packages, you can use the following steps. 
> 
> 
> # vanbelle repo. 
> echo "deb http://apt.van-belle.nl/debian stretch-samba49 main 
> contrib non-free" > /etc/apt/sources.list.d/van-belle.list
> 
> # Enable stretch-backports. 
> echo "deb http://ftp.nl.debian.org/debian stretch-backports 
> main contrib non-free" > 
> /etc/apt/sources.list.d/stretch-backports.list
> 
> # Enable testing or SID sources. 
echo "deb-src http://ftp.nl.debian.org/debian testing main contrib non-free" > /etc/apt/sources.list.d/testing.list

*( changed deb to deb-src ) 


> 
> # 
> apt-get update
> apt-get install -t stretch-backports debhelper lintian 
> devscripts build-essential fakeroot dh-systemd 
> libdistro-info-perl quilt -y
> apt-get build-dep sssd -y
> apt-get source sssd -by 
> 
> And wait, until your .deb's are ready. 
> 
> The most simple and quick rebuild of sssd. 
> You need sssd 1.16 (this was 1.15.2) is minimal with the 
> current samba versions as far i know. 
> 
> Greetz, 
> 
> Louis
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list