[Samba] pam+winbind and maintaining domain membership: keytab vs tickets

Rowland penny rpenny at samba.org
Thu Aug 6 18:41:22 UTC 2020

On 06/08/2020 19:07, Isaac Stone wrote:
> Thanks for your quick replies
> Yes, we are using a ctdb setup, and having the same netbios name was 
> something I understood as necessary there. Thanks for confirming
First time I ever confirmed something by saying don't use it :D
> To clarify, currently we are not fetching any kerberos tickets for any 
> reason on the samba server. We are not using `kinit` explicitly 
> anywhere and everything seems to be working. In a previous setup we 
> were calling it because I thought it was necessary for winbind, 
> thinking somehow winbind used kerberos tickets to keep the server 
> joined to the domain. I think I was mistaken and just wanted to get 
> confirmation. I am not exactly sure what I would be using a kerberos 
> ticket for?

You only need to run 'kinit' if you need to run a command that can use 
kerberos, samba-tool for instance.

otherwise, winbindd will refresh the tickets it uses internally, but 
only if you tell it to.

> What is the "secrets" kerberos method in "secrets and keytab"? is it 
> the username/password combo from the initial join?

'secrets' is secrets.tdb and 'keytab' refers to the system keytab (the 
one in memory).


More information about the samba mailing list