[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
L.P.H. van Belle
belle at bazuin.nl
Thu Jan 27 13:29:52 UTC 2022
> -----Oorspronkelijk bericht-----
> Van: Alex [mailto:samba at abisoft.biz]
> Verzonden: donderdag 27 januari 2022 13:02
> Aan: L.P.H. van Belle via samba; L.P.H. van Belle
> Onderwerp: Re: [Samba] Kerberos authentication issue after
> upgrading from 4-14-stable to 4-15-stable
> Hello Louis,
> Samba is already handling the system's keytab
> Any ideas why?
No, sorry, thats one i dont know, except that k5start might look in a different place which does not exist.
> The reason to use k5start is b/c some progs can't work with
> keytab file directly. For example, nslcd.
Aha.. But wait, if samba is already handle-ing it.
Why not this way..
(example for kerberos auth in squid )
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads_update keytab ADD HTTP/$(hostname -f)
chmod 640 krb5-squid-HTTP-$(hostname -s).keytab
chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab
Adjust it to you needs for nlscd but it shows how todo it.
I think what will work also.
> > Im wondering why you dont use winbind for the keytabs setup
> and let samba handle it.
> > Thats what i suggest.
> > Install winbind only.
> > Use :
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > # renew the kerberos ticket
> > winbind refresh tickets = yes
> > Add the use that keytab or make separated keytab file as
> you do now.
> > You might have a reason to use k5start but i havent see it so far.
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex
> >> via samba
> >> Verzonden: donderdag 27 januari 2022 9:12
> >> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett
> >> Onderwerp: Re: [Samba] Kerberos authentication issue after
> >> upgrading from 4-14-stable to 4-15-stable
> >> Hello Andrew,
> >> > The big difference with 4.15 is likely to be that we disabled DES
> >> > encryption types recently, so if you followed an old guide
> >> that said to
> >> > force DES that would end badly.
> >> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab
> >> Vno Type Principal
> >> 1 ArcFour with HMAC/md5 padl at ABISOFT.BIZ
> >> [root at vm-corp etc]#
> >> There's no DES encryption as far as I see. Or I look at the
> >> wrong place?
> >> --
> >> Best regards,
> >> Alex
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> Best regards,
More information about the samba