[Samba] Samba doesn't honor the setting "dedicated keytab file"
Rowland penny
rpenny at samba.org
Thu Jan 28 12:17:42 UTC 2021
On 28/01/2021 11:48, Andrea Cucciarre' via samba wrote:
> Hello,
>
> I am running Samba on Ubuntu as a DC member:
>
> Version 4.11.6-Ubuntu
>
> I have also installed the packages as recommended here:
>
> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation
>
>
> I want the keytab file to be stored on a specific path so I have used
> the setting:
>
> dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab
>
> However when join the domain the krb5.keytab is created in
> /etc/krb5.keytab, not the path I have request.
> Below my smb.conf global section:
>
> [global]
> security = ads
> realm = HF4.LOCAL
> workgroup = HF4
> netbios name = hf-andrea-1-788
> log file = /hyperfile/gluster-cache/logs/winbindd/1/log.%I
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config HF4 : backend = rid
> idmap config HF4 : range = 10000-999999
> log level = 5
> max log size = 10000
> winbind refresh tickets = Yes
> winbind offline logon = true
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab
> kerberos method = secrets and keytab
> client signing = yes
> client use spnego = yes
> template shell = /bin/bash
> template homedir = /home/%U
> logging = file
> server role = standalone server
> map to guest = bad user
> usershare allow guests = no
>
> Any advice on how to fix it?
>
Try reading 'man smb.conf', where you will find that the keytab in
'secrets and keytab' isn't the 'dedicated keytab'. I have never tried
it, but I think you would have to have 'kerberos method = dedicated
keytab' in smb.conf before the join to get the keytab created where you
require it. However, even if this works, I wouldn't recommend it. Just
copy the keytab to the required location.
Finally, where did you get the idea that adding 'server role =
standalone server' to the smb.conf of a Unix domain member was okay ?
If it came from a website somewhere, can you supply a link.
Rowland
More information about the samba
mailing list