[Samba] Generating keytab on a read-only file system
L.P.H. van Belle
belle at bazuin.nl
Thu Dec 27 16:07:13 UTC 2018
Small correction. In the deb testing line
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: donderdag 27 december 2018 16:07
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Generating keytab on a read-only file system
>
> Hai Taner,
>
> > -----Oorspronkelijk bericht-----
> > Van: Taner Tas [mailto:taner76 at gmail.com]
> > Verzonden: donderdag 27 december 2018 12:30
> > Aan: L.P.H. van Belle via samba
> > CC: L.P.H. van Belle
> > Onderwerp: Re: [Samba] Generating keytab on a read-only file system
> >
> >
> >
> >
> > > First, I suggest read :
> > > https://wiki.samba.org/index.php/Keytab_Extraction
> >
> > I did.
> Great, sorry but we need to ask this. Most dont even know
> about the wiki.
> Good to see you do :-)
>
> > > Second, it his for
> > > a member or AD-DC? Thats because of the location of the keytab and
> > > the ad-dc creates its own keytab file. Thirth, are any
> > other services
> > > going to use it? Last, root must be able to write the keytab file.
> > >
> > They're members. The intent is to auto join clients without manual
> > intervention by using a dedicated user's credentials. This user
> > only granted for adding computers to the desired OU.
> Diskless clients
> > will use same root fs over nfs. Hostnames will be generated
> > dynamically according to their MAC/IP.
> >
> > > If you place the keytab in an other non-default location like :
> > > With : dedicated keytab file = /tmp/krb5.keytab
> > >
> > > Then dont forget the symlynk to /etc/krb5.keytab also.
> > > Most client programs look at the default location
> /etc/krb5.keytab.
> > >
> >
> > As I mentioned in other message in thread, I figured it out
> > by creating
> > a symbolic link pointing an empty krb5.keytab file which will
> > be created
> > during boot at a writable location if it doesn't exist on first.
> >
> > Create a symbolic link on root fs:
> > /etc/krb5.keytab -> /var/lib/samba/krb5.keytab
> > (/var/lib/samba folder is rw in this case)
> >
> > During boot via custom initscrit:
> > [ -f /var/lib/samba/krb5.keytab ] || touch
> /var/lib/samba/krb5.keytab
> >
> > The empty file must be created before samba and sssd services
> > launched.
>
> Hmm, i think its good that you read:
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html
>
> Check ProtectSystem= PrivateTmp= ReadWritePaths=
> And basicly the sandboxing part.
>
>
> >
> > Btw, I have to mention that the samba packages in your repo doesn't
> > work with sssd packages on Stretch. Sssd quits with segfault. Due to
> > this, I switched back to the official Debian builds
> (4.5.12) in order
> > use sssd ad backend with samba. Probably sssd package suit must be
> > re-compiled against samba packages on van-belle repo.
>
> Yes, thats known, i've added a notice on the apt site, thank
> you for pointing that out (again).
> Now, i've done a litlle check here and if you need sssd with
> my packages, you can use the following steps.
>
>
> # vanbelle repo.
> echo "deb http://apt.van-belle.nl/debian stretch-samba49 main
> contrib non-free" > /etc/apt/sources.list.d/van-belle.list
>
> # Enable stretch-backports.
> echo "deb http://ftp.nl.debian.org/debian stretch-backports
> main contrib non-free" >
> /etc/apt/sources.list.d/stretch-backports.list
>
> # Enable testing or SID sources.
echo "deb-src http://ftp.nl.debian.org/debian testing main contrib non-free" > /etc/apt/sources.list.d/testing.list
*( changed deb to deb-src )
>
> #
> apt-get update
> apt-get install -t stretch-backports debhelper lintian
> devscripts build-essential fakeroot dh-systemd
> libdistro-info-perl quilt -y
> apt-get build-dep sssd -y
> apt-get source sssd -by
>
> And wait, until your .deb's are ready.
>
> The most simple and quick rebuild of sssd.
> You need sssd 1.16 (this was 1.15.2) is minimal with the
> current samba versions as far i know.
>
> Greetz,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list