Web lists-archives.com

Re: [Samba] DRS stopped working after upgrade from debian Jessie to Stretch




On Tue, 2017-06-20 at 10:35 +0200, L.P.H. van Belle via samba wrote:
> Hai, 
> 
> Just saying samba does not use /etc/krb5.keytab is not totaly correct. 

As an AD DC, we don't use it.

> A lot of setups use the setting : dedicated keytab file = /etc/krb5.keytab 
> Because systemd defaults point to /etc/krb5.keytab. 

Sure, but that is not used by the AD DC. 

> From his logs: 
> Failed to find
> FICHDC$@NET.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR(kvno 2) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) 
> 
> And from his command (klist -k : Keytab name: FILE:/etc/krb5.keytab  ) the above server is found.
> Only the HOST/SPN entry is missing. 
> 
> This looks like that :
> dedicated keytab file = /etc/krb5.keytab  
> was in smb.conf but is gone now, or a symlink is replaced by a keytab file /etc
> I suspect last one due to the upgrade. 

I'm not disputing that the OP may have copied the keytab.  It still
won't change what path the Samba AD DC will use. 

> In this case, export the spn's again and check if host/spn and NETBIOSNAME$@SPN exist. 
> use ktutil to import all entries from both keytab files and export the one you need back.

That won't change Samba to use /etc/krb5.keytab as an AD DC, nor should
it.  It might impact if NFS is in operation, but that is a secondary
task at this point. 

I'm being so blunt because:
 - Samba is internally inconsistent on this point
and
 - Samba folklore spreads like wildfire

Sorry,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba