[Samba] winbind: machine password timeout and keytab
Johan Hattne
johan at hattne.se
Wed Feb 19 00:44:44 UTC 2020
On 2020-02-18 11:44, Rowland penny via samba wrote:
> On 18/02/2020 19:14, Johan Hattne via samba wrote:
>> Dear all;
>>
>> Is it possible to refresh the machine password in an AD setup while
>> also using a keytab for verifying secrets? As far as I can see
>> machine password updates (as controlled by "machine password timeout")
>> are disabled when a keytab is in use (in particular, when "kerberos
>> method = secrets and keytab"), but without an up-to-date keytab e.g.
>> single sign-on with SSH won't work.
>
> I wonder where you found that ?
With smb.conf as per below, I'd expect a machine password update every
two hours, but nothing happens. Commenting out "kerberos method" does
update the machine password right away (as per "net ads info"), and then
refreshes every two hours after that.
Also, source3/winbindd_dual.c has this in it:
if (child->domain && child->domain->primary &&
!USE_KERBEROS_KEYTAB &&
lp_server_role() == ROLE_DOMAIN_MEMBER) {
// For brevity:
// Omitted real code to call machine_password_handler()
// on password expiration
}
}
I'm thinking the USE_KERBEROS_KEYTAB is preventing the handler from
being installed, but there is probably a good reason it's there.
> As far as I am aware, your machine passwords will be updated by winbind
> and setting 'machine password timeout' just decides when. Setting
> 'winbind refresh tickets = yes' should refresh any tickets as required.
> This all depends on you running winbind.
I didn't have "winbind refresh tickets = yes", but I see the same
behaviour now that I've added it.
>> Is there any way around this, short of running a cron job to refresh
>> machine passwords and then update the keytab? I find that the
>> cron-solution suffers from race conditions in a CTDB setup.
>>
>> // Best wishes; Johan
>>
> No idea about CTDB, I do not use use it, but it should work in the same
> way. It might help if you post your smb.conf, there may be something
> there (or not there) that could be causing this.
I'll get back to CTDB once this has been sorted. And here's the full
smb.conf:
[global]
client signing = required
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /var/log/samba/log.%m
machine password timeout = 7200
max log size = 1000
mdns name = mdns
realm = AD.EXAMPLE.COM
security = ADS
server min protocol = SMB2
server signing = required
server string = Samba %v (%h)
template homedir = /home/%U
template shell = /bin/bash
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = AD
fruit:copyfile = yes
idmap config * : rangesize = 1000000
idmap config * : range = 1734200000 - 1999999999
idmap config * : backend = autorid
use sendfile = Yes
vfs objects = catia fruit streams_xattr
[time_machine]
comment = Time Machine (%h)
path = /var/time_machine/%U
read only = No
valid users = "@AD.EXAMPLE.COM\mygroup"
fruit:model = RackMac
fruit:encoding = native
fruit:time machine max size = 1024G
fruit:time machine = yes
// Best wishes; Johan
More information about the samba
mailing list