[Samba] pam+winbind and maintaining domain membership: keytab vs tickets

Isaac Stone isaac.stone at som.com
Thu Aug 6 17:18:54 UTC 2020

Hello. I am trying to clarify in my mind how winbind, pam and kerberos all
work. I am hoping to get some knowledge to help debug and ensure our samba
server keeps it's domain membership in the most robust way possible.

Background: We are using a samba server to serve a filesystem to windows
users. A group policy on the machines will automatically mount the
filesystem. Samba and all the windows machines are expected to always be
members of the same AD domin.

Not having used kerberos before I was getting tickets and keytabs confused.
I start to think that in the current setup tickets are perhaps an
unnecessary complication. All that is really needed is a way to ensure the
samba server stays in the domain indefinitely and rejoins on reboot.

Currently we join the domain when we provision a server with the `net ads
join -U domainadmin`. After the domain join running `net ads keytab list`
will list keytabs with NETBIOS_NAME at OUR.DOMAIN as the principal. It seems
to work without running kinit or creating a ticket-granting-ticket.

So I think that having `winbind refresh tickets` in smb.conf is
unnecessary, and I can safely change `kerberos methos` to just `keytab`

Is the keytab created when the `net ads join` command is run?
Is there a way to test the keytab is working? (other than restarting the
Would this break if we had multiple servers configured with the same
Everything seems to work even if I stop the nmb daemon. I think this is
because we use the ip and not the netbios name in our mount scripts and
configuration. Is this correct?

I tried to find out all I could with google and reading the docs, but I am
still not sure I understand everything and would greatly appreciate some

Thanks Much,
 - Isaac

More information about the samba mailing list