Web lists-archives.com

Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member




Hai guys, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Rowland Penny via samba
> Verzonden: maandag 17 december 2018 16:08
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Domain member
> 
> On Mon, 17 Dec 2018 15:38:02 +0100
> "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > Hm,, 
> > 
> > Good question Marco, now after re-reading it, i understand what you
> > trying to say. How i did read it and understand it. 
> > 
> > dedicated keytab file (G)
> >    Specifies the absolute path to the kerberos keytab file when
> > `kerberos method` is set to "dedicated keytab". When the kerberos
> > method is in "dedicated keytab" mode, dedicated keytab file must be
> > set to specify the location of the keytab file.
> > 
> > So you options are
> > 	kerberos method = secret only	( the default.)
> >           so no changes in smb.conf by default.
> >       kerberos method = system keytab
> >         assumes the system default ( /etc/krb5.keytab )
> 
> Sorry, but no it doesn't ;-), the 'system keytab' is by default in memory.

Ok, but then, with the setting, `kerberos method = secrets and keytab` it's only more confusing. 

A small re-cap.
secrets only - use only the secrets.tdb for ticket verification (default)  
- this is clear how its used. 

system keytab - use only the system keytab for ticket verification	
- this description here might be better off with something like this. 
system keytab - use only the system (in memory) keytab for ticket verification.

dedicated keytab - use a dedicated keytab for ticket verification (preffered the OS default) 
	- ( for debian/ubuntu /etc/krb5.keytab )

secrets and keytab - use the secrets.tdb first, then the system (in memory) keytab 
But now i can't explain the mix of  `dedicated keytab` and `secrets and keytab`  anymore. 

Here : secrets and keytab 
Keytab points to in-memory and/or file keytab?? , at least thats how i thought it did work. 

> 
> > kerberos method = dedicated keytab
> >   can be : AnyPath/to/keytabfile.
> > kerberos method = secrets and keytab - use the secrets.tdb first,
> > then the system keytab
> > 
> > I think we should define "system keytab" a bit beter in smb.conf.
> 
> You are probably right Louis, want to make this your first patch as a
> Samba team member ?
Well thats maybe a bit too early..  ;-) learn about gitlab more first. 
And if its happens, you be the first to review my typos. :-)) 

>   
> > 
> > So yeah, you might say, `kerberos method = secrets and keytab` should work fine without the setting :
> 
> Yes it will, but anything else that needs an actual keytab wont.

In this line "method = secrets and keytab"
The word `keytab` referres to ? Memory keytab or file, or both. 

Because it looks like only memory but it does use the /etc/krb5.keytab also. 
So this is not correctly defined..  and since im not not sure anymore how it uses the combination of the settings,
i need to understand the combination better for before i can describe it. 
Following that part of code is to hard for me. 

> 
> 
> > dedicated keytab file If thats not
> > the case then we need 2 of these : kerberos method = secrets and
> > keytab kerberos method = secrets and system-keytab kerberos method =
> > secrets and dedicate-keytab
> > 
> > What i think, but i cant see it in the code, maybe Rowland can tell
> > this.
> 
> Just did ;-)

Thanks, must helpfull for me at least. ;-) 
>  
> Rowland
> 


Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba