[Samba] Samba + Winbind : Kerberos Tickets

L.P.H. van Belle belle at bazuin.nl
Wed Jul 15 13:22:55 UTC 2020 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Robert Buck via samba
> Verzonden: woensdag 15 juli 2020 15:12
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba + Winbind : Kerberos Tickets
> 
> Hi Folks,
> 
> We're in the process of setting up a Samba cluster 
> (Samba+CTDB+etcd), and
> we (presently) using Winbind. We use AD. We're finding that 
> the domain join
> (or kerberos ticket renewal) is unreliable. 

You most probely missing in smb.conf

   dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes



> Every day we find 
> Samba/Winbind
> is no longer joined to the domain. Now, we're in a bit of a 
> learning curve
> here, and automating everything with Terraform + Ansible. We 
> have yet to
> produce a stable environment with respect to domain join, 
> though the file
> systems themselves seem fine.

Ow and you know this : 
https://www.kania-online.de/wp-content/uploads/2020/05/cluster-mit-ctdb.pdf 

Its a good read for what you want, at least, i think it is. 

> 
> One challenge is the vast array of (frequently inconsistent 
> or inaccurate)
> documentation on the topic of Samba, different ways to do the 
> same things,
> etc. So part of our challenge is sifting through useful, or 
> not so useful,
> information.
> 
> We really need an accurate recipe for installing Samba, all its
> dependencies, including Winbind (or alternative), having this domain
> joined, and supporting Windows File History.

Well, im still working on that. 
https://github.com/thctlo/samba4/tree/master/howtos 
The current "debian stretch" is old, but mostly it still correct. 
The "Debian Buster"  version is in the making at the moment (a member setup first. ) 

> 
> Can anyone of the core Samba team members point our way through the
> "wilderness"? ;-) To either a very up to date, very accurate, 
> bash script
> that has every step detailed, or a document that has been 
> tested recently that works flawlessly?

Almost there, the member setup should be done this or next week. 
;-) 

> 
> This would be very helpful.
> 
> We're excited to see the prospect of a distributed Samba 
> cluster working
> across several AWS regions, and initial testing has produced 
> great results
> in terms of performance and recoverability. But it's this last mile of
> getting AD join stable and kerberos tickets automatically 
> renewed, and not dropping domain join, working, that is causing us issue.

See above, that will fix it. 

> 
> And any detailed information (script ideally) on how to 
> configure Windows  File History, would also be helpful.

Thats one point im also working on at the moment, and as far i know you need LVM for it. 
But i leave this part to my college Rowland or other members of the Team. 

> 
> Thank you so much in advance, we really appreciate this.
> 
> Kindly,
> 
> -- 
> 
> BOB BUCK


Greetz, 

Louis

More information about the samba mailing list