[Samba] winbind: machine password timeout and keytab

Rowland penny rpenny at samba.org
Tue Feb 18 19:44:38 UTC 2020

On 18/02/2020 19:14, Johan Hattne via samba wrote:
> Dear all;
> Is it possible to refresh the machine password in an AD setup while 
> also using a keytab for verifying secrets?  As far as I can see 
> machine password updates (as controlled by "machine password timeout") 
> are disabled when a keytab is in use (in particular, when "kerberos 
> method = secrets and keytab"), but without an up-to-date keytab e.g. 
> single sign-on with SSH won't work.

I wonder where you found that ?

As far as I am aware, your machine passwords will be updated by winbind 
and setting 'machine password timeout' just decides when. Setting 
'winbind refresh tickets = yes' should refresh any tickets as required. 
This all depends on you running winbind.

> Is there any way around this, short of running a cron job to refresh 
> machine passwords and then update the keytab?  I find that the 
> cron-solution suffers from race conditions in a CTDB setup.
> // Best wishes; Johan
No idea about CTDB, I do not use use it, but it should work in the same 
way. It might help if you post your smb.conf, there may be something 
there (or not there) that could be causing this.


More information about the samba mailing list