Web lists-archives.com

Re: [Samba] Generating keytab on a read-only file system




Hai Taner, 

> -----Oorspronkelijk bericht-----
> Van: Taner Tas [mailto:taner76@xxxxxxxxx] 
> Verzonden: donderdag 27 december 2018 12:30
> Aan: L.P.H. van Belle via samba
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Generating keytab on a read-only file system
> 
> 
> 
> 
> > First, I suggest read :
> > https://wiki.samba.org/index.php/Keytab_Extraction 
> 
> I did.
Great, sorry but we need to ask this. Most dont even know about the wiki. 
Good to see you do :-) 

> > Second, it his for
> > a member or AD-DC? Thats because of the location of the keytab and
> > the ad-dc creates its own keytab file. Thirth, are any 
> other services
> > going to use it? Last, root must be able to write the keytab file.
> > 
> They're members. The intent is to auto join clients without manual
> intervention by using a dedicated user's credentials. This user
> only granted for adding computers to the desired OU. Diskless clients
> will use same root fs over nfs. Hostnames will be generated 
> dynamically according to their MAC/IP.
> 
> > If you place the keytab in an other non-default location like : 
> > With :  dedicated keytab file = /tmp/krb5.keytab
> > 
> > Then dont forget the symlynk to /etc/krb5.keytab also. 
> > Most client programs look at the default location /etc/krb5.keytab. 
> >
> 
> As I mentioned in other message in thread, I figured it out 
> by creating
> a symbolic link pointing an empty krb5.keytab file which will 
> be created
> during boot at a writable location if it doesn't exist on first.
> 
> Create a symbolic link on root fs:
> /etc/krb5.keytab -> /var/lib/samba/krb5.keytab
> (/var/lib/samba folder is rw in this case)
> 
> During boot via custom initscrit:
> [ -f /var/lib/samba/krb5.keytab ] || touch /var/lib/samba/krb5.keytab
> 
> The empty file must be created before samba and sssd services 
> launched.

Hmm, i think its good that you read: 
https://www.freedesktop.org/software/systemd/man/systemd.exec.html 

Check  ProtectSystem= PrivateTmp=  ReadWritePaths=  
And basicly the sandboxing part.


> 
> Btw, I have to mention that the samba packages in your repo doesn't
> work with sssd packages on Stretch. Sssd quits with segfault. Due to
> this, I switched back to the official Debian builds (4.5.12) in order
> use sssd ad backend with samba. Probably sssd package suit must be
> re-compiled against samba packages on van-belle repo.

Yes, thats known, i've added a notice on the apt site, thank you for pointing that out (again).
Now, i've done a litlle check here and if you need sssd with my packages, you can use the following steps. 


# vanbelle repo. 
echo "deb http://apt.van-belle.nl/debian stretch-samba49 main contrib non-free" > /etc/apt/sources.list.d/van-belle.list

# Enable stretch-backports. 
echo "deb http://ftp.nl.debian.org/debian stretch-backports main contrib non-free" > /etc/apt/sources.list.d/stretch-backports.list

# Enable testing or SID sources. 
echo "deb http://ftp.nl.debian.org/debian testing main contrib non-free" > /etc/apt/sources.list.d/testing.list

# 
apt-get update
apt-get install -t stretch-backports debhelper lintian devscripts build-essential fakeroot dh-systemd libdistro-info-perl quilt -y
apt-get build-dep sssd -y
apt-get source sssd -by 

And wait, until your .deb's are ready. 

The most simple and quick rebuild of sssd. 
You need sssd 1.16 (this was 1.15.2) is minimal with the current samba versions as far i know. 

Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba