[Samba] Samba doesn't honor the setting "dedicated keytab file"

Andrea Cucciarre' acucciarre at cloudian.com
Thu Jan 28 12:37:23 UTC 2021 

Hello Rowland,

I read the man page and I came to the same conclusion as you, but Samba 
wiki is not clear, in the link below:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User

it uses "dedicated keytab file" with "kerberos method = secret and keytab"

Moreover, the same config setting on  CentOS works.
Regarding "server role" I believe it's an error, I guess I can use the 
default cause in the Samba wiki about DC member is not mentioned

  Regards
Andrea Cucciarre'


On 1/28/2021 1:17 PM, Rowland penny via samba wrote:
> On 28/01/2021 11:48, Andrea Cucciarre' via samba wrote:
>> Hello,
>>
>> I am running Samba on Ubuntu as a DC member:
>>
>> Version 4.11.6-Ubuntu
>>
>> I have also installed the packages as recommended here:
>>
>> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation 
>>
>>
>> I want the keytab file to be stored on a specific path so I have used 
>> the setting:
>>
>> dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab
>>
>> However when join the domain the krb5.keytab is created in 
>> /etc/krb5.keytab, not the path I have request.
>> Below my smb.conf global section:
>>
>> [global]
>> security = ads
>> realm = HF4.LOCAL
>> workgroup = HF4
>> netbios name = hf-andrea-1-788
>> log file = /hyperfile/gluster-cache/logs/winbindd/1/log.%I
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config HF4 : backend = rid
>> idmap config HF4 : range = 10000-999999
>> log level = 5
>> max log size = 10000
>> winbind refresh tickets = Yes
>> winbind offline logon = true
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>> dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab
>> kerberos method = secrets and keytab
>> client signing = yes
>> client use spnego = yes
>> template shell = /bin/bash
>> template homedir = /home/%U
>> logging = file
>> server role = standalone server
>> map to guest = bad user
>> usershare allow guests = no
>>
>> Any advice on how to fix it?
>>
> Try reading 'man smb.conf', where you will find that the keytab in 
> 'secrets and keytab' isn't the 'dedicated keytab'. I have never tried 
> it, but I think you would have to have 'kerberos method = dedicated 
> keytab' in smb.conf before the join to get the keytab created where 
> you require it. However, even if this works, I wouldn't recommend it. 
> Just copy the keytab to the required location.
>
> Finally, where did you get the idea that adding 'server role = 
> standalone server' to the smb.conf of a Unix domain member was okay ?
>
> If it came from a website somewhere, can you supply a link.
>
> Rowland
>
>
>

More information about the samba mailing list