Re: [Samba] Generating keytab on a read-only file system
- Date: Thu, 27 Dec 2018 11:40:38 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Generating keytab on a read-only file system
On Thu, 27 Dec 2018 14:29:59 +0300
Taner Tas via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > First, I suggest read :
> > https://wiki.samba.org/index.php/Keytab_Extraction
> I did.
> > Second, it his for
> > a member or AD-DC? Thats because of the location of the keytab and
> > the ad-dc creates its own keytab file. Thirth, are any other
> > services going to use it? Last, root must be able to write the
> > keytab file.
> They're members. The intent is to auto join clients without manual
> intervention by using a dedicated user's credentials. This user
> only granted for adding computers to the desired OU. Diskless clients
> will use same root fs over nfs. Hostnames will be generated
> dynamically according to their MAC/IP.
> > If you place the keytab in an other non-default location like :
> > With : dedicated keytab file = /tmp/krb5.keytab
> > Then dont forget the symlynk to /etc/krb5.keytab also.
> > Most client programs look at the default location /etc/krb5.keytab.
> As I mentioned in other message in thread, I figured it out by
> creating a symbolic link pointing an empty krb5.keytab file which
> will be created during boot at a writable location if it doesn't
> exist on first.
> Create a symbolic link on root fs:
> /etc/krb5.keytab -> /var/lib/samba/krb5.keytab
> (/var/lib/samba folder is rw in this case)
> During boot via custom initscrit:
> [ -f /var/lib/samba/krb5.keytab ] || touch /var/lib/samba/krb5.keytab
> The empty file must be created before samba and sssd services
> Btw, I have to mention that the samba packages in your repo doesn't
> work with sssd packages on Stretch. Sssd quits with segfault. Due to
> this, I switched back to the official Debian builds (4.5.12) in order
> use sssd ad backend with samba. Probably sssd package suit must be
> re-compiled against samba packages on van-belle repo.
> Taner Tas
Why do you feel you need sssd ?
Winbind will mostly do everything on a Unix domain member that sssd
does and what it doesn't do, there are other ways of doing them.
To unsubscribe from this list go to the following URL and read the