Re: [Samba] Advantage of 'kerberos method = secrets and keytab' over 'kerberos method = system keytab'
- Date: Tue, 18 Dec 2018 10:35:43 +0100
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Advantage of 'kerberos method = secrets and keytab' over 'kerberos method = system keytab'
My question also, im not really clear with the "kerberos method" options.
In my opinion. I cant think of much that does not need the /etc/krb5.keytab file.
So i really pro, always having the krb5.keytab file, because it makes life more easy.
If you only use winbind auth that might be an advantage of system (in-memory) keytab.
But i need some practical examples for on the settings first, because i'm not 100% sure
in what all dis-advantages and advantages are.
About the "login hickup at 10 hour service ticket expiration problem"
Your 100% nothing in the network is causing this..
I've seen the problem on the list of you, i'll have an other look at it.
You can try the following. If you now using system keytab. Set this and see if it works.
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
! Dont forget, you need to have krb5.keytab extracted from AD.
If you dont have any krb5.keytab file.
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
If you have, whats in it?
But please do test this on a test server and not your production.
If you go test on the production make sure you have good backups of the samba.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Peter Eriksson via samba
> Verzonden: dinsdag 18 december 2018 10:05
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Advantage of 'kerberos method = secrets
> and keytab' over 'kerberos method = system keytab'
> A question regarding the “kerberos method” configuration
> option in smb.conf:
> Are there any practical differences between using ’secrets
> and keytab’ and ’system keytab’?
> I’ve been running Samba servers using both methods for a long
> time and both seems to work more or less fine, but since
> we’re having this “login hickup at 10 hour service ticket
> expiration problem” I’m trying to find out if this might be
> one thing that is causing our problems? (Our production
> servers where we see this problem are using ’system keytab’).
> I’ve been trying to find some information if one gives some
> advantages over the other but so far has come up empty…
> Which one is the preferred setting?
> - Peter
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the