[Samba] pam+winbind and maintaining domain membership: keytab vs tickets
rpenny at samba.org
Thu Aug 6 18:41:22 UTC 2020
On 06/08/2020 19:07, Isaac Stone wrote:
> Thanks for your quick replies
> Yes, we are using a ctdb setup, and having the same netbios name was
> something I understood as necessary there. Thanks for confirming
First time I ever confirmed something by saying don't use it :D
> To clarify, currently we are not fetching any kerberos tickets for any
> reason on the samba server. We are not using `kinit` explicitly
> anywhere and everything seems to be working. In a previous setup we
> were calling it because I thought it was necessary for winbind,
> thinking somehow winbind used kerberos tickets to keep the server
> joined to the domain. I think I was mistaken and just wanted to get
> confirmation. I am not exactly sure what I would be using a kerberos
> ticket for?
You only need to run 'kinit' if you need to run a command that can use
kerberos, samba-tool for instance.
otherwise, winbindd will refresh the tickets it uses internally, but
only if you tell it to.
> What is the "secrets" kerberos method in "secrets and keytab"? is it
> the username/password combo from the initial join?
'secrets' is secrets.tdb and 'keytab' refers to the system keytab (the
one in memory).
More information about the samba