[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable

L.P.H. van Belle belle at bazuin.nl
Thu Jan 27 13:29:52 UTC 2022 

Hai Alex, 


> -----Oorspronkelijk bericht-----
> Van: Alex [mailto:samba at abisoft.biz] 
> Verzonden: donderdag 27 januari 2022 13:02
> Aan: L.P.H. van Belle via samba; L.P.H. van Belle
> Onderwerp: Re: [Samba] Kerberos authentication issue after 
> upgrading from 4-14-stable to 4-15-stable
> 
> Hello Louis,
> 
> Samba is already handling the system's keytab 
... 
> Any ideas why?
No, sorry, thats one i dont know, except that k5start might look in a different place which does not exist. 

> 
> The reason to use k5start is b/c some progs can't work with 
> keytab file directly. For example, nslcd.

Aha..  But wait, if samba is already handle-ing it. 
Why not this way.. 

(example for kerberos auth in squid ) 
kinit Administrator

export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab

net ads_update keytab ADD HTTP/$(hostname -f)

chmod 640 krb5-squid-HTTP-$(hostname -s).keytab

chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab

Adjust it to you needs for nlscd but it shows how todo it. 
I think what will work also. 



> 
> > Im wondering why you dont use winbind for the keytabs setup 
> and let samba handle it. 
> >  
> > Thats what i suggest. 
> > Install winbind only. 
> 
> > Use : 
> >     dedicated keytab file = /etc/krb5.keytab
> >     kerberos method = secrets and keytab
> 
> >     # renew the kerberos ticket
> >     winbind refresh tickets = yes
> 
> > Add the use that keytab or make separated keytab file as 
> you do now. 
> 
> > You might have a reason to use k5start but i havent see it so far. 
> 
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> >> via samba
> >> Verzonden: donderdag 27 januari 2022 9:12
> >> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett
> >> Onderwerp: Re: [Samba] Kerberos authentication issue after 
> >> upgrading from 4-14-stable to 4-15-stable
> >> 
> >> Hello Andrew,
> >> 
> >> > The big difference with 4.15 is likely to be that we disabled DES
> >> > encryption types recently, so if you followed an old guide 
> >> that said to
> >> > force DES that would end badly.
> >> 
> >> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
> >> Vno  Type                                        Principal
> >>   1  ArcFour with HMAC/md5                       padl at ABISOFT.BIZ
> >> [root at vm-corp etc]#
> >> 
> >> There's no DES encryption as far as I see. Or I look at the 
> >> wrong place?
> >> 
> >> -- 
> >> Best regards,
> >> Alex
> >> 
> >> 
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >> 
> >> 
> 
> 
> 
> 
> 
> -- 
> Best regards,
> Alex
> 
>

More information about the samba mailing list