[Samba] Fwd: Re: Samba4 and sssd, keytab file expires?

[Alessandro Briosi]

>> Even if I restart the service things don't change. The only solution I
>> have found so far is regenerating the keytab file.
>> It seems that the kerberos principal expires. Is this normal?
>> Funny thing is that on the 1st dc I am using sssd too and ssh logins
>> work as expected (no need to change the keytab file).
>>
>> Anyone seen this before?

> Which pricipal expires?
>
> That tickets expire is built into Kerberos. I'm using nslcd and require
> k5start to refresh the principal. Could it be that you're runnining
> something like that on your 1st DC?

> Regards,
> - lars.

That's what I was asking, is it really expiring?
Should the principal be refreshed, or is there a way to make it not
expire?

I have followed the wiki [1], but there's no mention about principal
expiration.

Also the first dc (CentOS 6) is using sssd and it's principal seems to
be working fine, no expiration.

Thanks,
Alessandro


[1]
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Alessandro Briosi]

>> Hi, how have you setup the fileserver ?
>> Is it joined to the domain ?
>> Can you post your fileservers smb.conf

>> Rowland

OT: Oops, wasn't subscribed to the mailing list :)

Yes, server is joined to the domain (otherwise I would not be able to
generate the principal)

Server configuration is following (only global part), winbind config is
there because it was used before sssd (I had troubles with library paths
on CentOS 7 and sssd)

[global]
workgroup = DOMAIN
realm = AD.DOMAIN.NET
security = ads
idmap config * : range = 16777216-33554431
template shell = /sbin/nologin
kerberos method = secrets only
netbios name = srvfile1
netbios aliases = srvfile
reset on zero vc = yes

server string =
encrypt passwords = yes

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

idmap config *:backend = tdb
idmap config *:range = 10000-20000
idmap config DOMAIN:backend = ad
idamp config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 0-40000

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = false

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
create mask = 0770

[Rowland Penny]

OK, you can get winbind to update your keytab, you need to alter your
smb.conf slightly. You need to change 'kerberos method = secrets only'
to either 'kerberos method = secrets and keytab' or 'kerberos method =
system keytab' and add the line

'dedicated keytab file = /etc/krb5.keytab'.

You also have a line twice, 'idmap config * : range = 16777216-33554431'
and 'idmap config *:range = 10000-20000', you really shouldn't start the
'DOMAIN' range with '0', it also overlaps with the second 'idmap config
*:range'.

Remember to restart samba after making the changes.

Rowland

[Rowland Penny]

OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to smb.conf

[Dr. Lars Hanke]

>> OK, you can get winbind to update your keytab, you need to alter your
>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>> system keytab' and add the line
>>
>> 'dedicated keytab file = /etc/krb5.keytab'.
>

> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to smb.conf

Alessandro said to use sssd in the original post. Didn't use that so
far, but I don't have any evidence that it would read winbind settings
from smb.conf.

Regards,
- lars.

[Alessandro Briosi]

Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>> OK, you can get winbind to update your keytab, you need to alter your
>>> smb.conf slightly. You need to change 'kerberos method = secrets
>>> only'
>>> to either 'kerberos method = secrets and keytab' or 'kerberos method
>>> =
>>> system keytab' and add the line
>>>
>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>
>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
>> smb.conf
>
> Alessandro said to use sssd in the original post. Didn't use that so
> far, but I don't have any evidence that it would read winbind settings
> from smb.conf.
>
> Regards,
> - lars.

Exactly, winbind is not used. It was used as a start, but would prefer
to use sssd.

What I'm not sure is why the kerberos keytab file expires. This does not
happen on the DC, but only on this member server.

I might schedule a script to update the keytab file, though I'm not sure
that's the expected behaviour.

Ciao,
Alessandro

[Rowland Penny]

On 31/12/14 15:48, Alessandro Briosi wrote:
> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>> OK, you can get winbind to update your keytab, you need to alter your
>>>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>>>> system keytab' and add the line
>>>>
>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>
>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
>>> smb.conf
>>
>> Alessandro said to use sssd in the original post. Didn't use that so
>> far, but I don't have any evidence that it would read winbind settings
>> from smb.conf.
>>
>> Regards,
>> - lars.
>
> Exactly, winbind is not used. It was used as a start, but would prefer
> to use sssd.
>
> What I'm not sure is why the kerberos keytab file expires. This does
> not happen on the DC, but only on this member server.
>
> I might schedule a script to update the keytab file, though I'm not
> sure that's the expected behaviour.
>
> Ciao,
> Alessandro

It expires because it was not created on the member server, having said
that, sssd should be able to update the keytab, I would suggest that
sssd is not setup correctly and as such, I think that you need to take
this problem to the sssd mailing list.

If you decide to use winbind, which I can assure you will work, this can
be set up to do what you need, see my previous posts

Rowland

[Alessandro Briosi]

Il 2014-12-31 18:24 Rowland Penny ha scritto:
>
> It expires because it was not created on the member server, having
> said that, sssd should be able to update the keytab, I would suggest
> that sssd is not setup correctly and as such, I think that you need to
> take this problem to the sssd mailing list.
>
> If you decide to use winbind, which I can assure you will work, this
> can be set up to do what you need, see my previous posts
>
> Rowland

Ok, thanks for the clarification.
Winbind works, it was working before (and there's no need for the keytab
as it's a member server, imho).

I'll try generating the keytab on the member server.

Regards,
Alessandro

[Rowland Penny]

On 01/01/15 10:22, Alessandro Briosi wrote:
> Il 2014-12-31 18:24 Rowland Penny ha scritto:
>>
>> It expires because it was not created on the member server, having
>> said that, sssd should be able to update the keytab, I would suggest
>> that sssd is not setup correctly and as such, I think that you need to
>> take this problem to the sssd mailing list.
>>
>> If you decide to use winbind, which I can assure you will work, this
>> can be set up to do what you need, see my previous posts
>>
>> Rowland
>
> Ok, thanks for the clarification.
> Winbind works, it was working before (and there's no need for the
> keytab as it's a member server, imho).
>
> I'll try generating the keytab on the member server.
>
> Regards,
> Alessandro

Hi, if you have these two lines in smb.conf:

dedicated keytab file = /etc/krb5.keytab

kerberos method = secrets and keytab

Remove /etc/krb5.keytab (if it exists), Leave the domain, then re-join
the domain, the keytab should be created for you (well it always has
been for me).

If you also have: 'winbind refresh tickets = Yes' in smb.conf, then
winbind will keep the keytab updated.

Rowland

[Dr. Lars Hanke]

Am 31.12.2014 um 16:48 schrieb Alessandro Briosi:
> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>> OK, you can get winbind to update your keytab, you need to alter your
>>>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>>>> system keytab' and add the line
>>>>
>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>
>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
>>> smb.conf
>>
>> Alessandro said to use sssd in the original post. Didn't use that so
>> far, but I don't have any evidence that it would read winbind settings
>> from smb.conf.
>>
>> Regards,
>> - lars.
>
> Exactly, winbind is not used. It was used as a start, but would prefer
> to use sssd.
>
> What I'm not sure is why the kerberos keytab file expires. This does not
> happen on the DC, but only on this member server.
>
> I might schedule a script to update the keytab file, though I'm not sure
> that's the expected behaviour.

Have a look at k5start. This is a daemon, which is made exactly for this
purpose. Maybe it is even installed on the DC due to different package
dependencies of the distro.

Regards,
- lars.

[Peter Serbe]

Hi Rowland,

this posting ended a lot of grief I had with expired keytabs.
While this is presumably an issue of sssd, I have no chance to
attack the issue right at its root*). But rejoining the domain
with the lines

dedicated keytab file = /etc/krb5.memberserver.keytab

kerberos method = secrets and keytab

winbind refresh tickets = Yes

seems to fix it. Phew...

Maybe You or someone else could put this information in the
samba wiki. I posted my problem on the mailing list in mid
December, but didn't get a single response. But here is the
solution...

So: Thank You again!

Best regards
Peter


*) I am on Debian Jessie using Jessie's sssd 1.11.7-2.
This version of sssd is pretty old, but, well, this is
Debian. Compiling sssd on Debian is next to impossible.
At least for me: no luck.

Rowland Penny schrieb am 31.12.2014 18:24:

> On 31/12/14 15:48, Alessandro Briosi wrote:

>> Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto:
>>>>> OK, you can get winbind to update your keytab, you need to alter your
>>>>> smb.conf slightly. You need to change 'kerberos method = secrets only'
>>>>> to either 'kerberos method = secrets and keytab' or 'kerberos method =
>>>>> system keytab' and add the line
>>>>>
>>>>> 'dedicated keytab file = /etc/krb5.keytab'.
>>>>
>>>> OOPS, I forgot a line, also add 'winbind refresh tickets = Yes' to
>>>> smb.conf
>>>
>>> Alessandro said to use sssd in the original post. Didn't use that so
>>> far, but I don't have any evidence that it would read winbind settings
>>> from smb.conf.
>>>
>>> Regards,
>>> - lars.
>>
>> Exactly, winbind is not used. It was used as a start, but would prefer
>> to use sssd.
>>
>> What I'm not sure is why the kerberos keytab file expires. This does
>> not happen on the DC, but only on this member server.
>>
>> I might schedule a script to update the keytab file, though I'm not
>> sure that's the expected behaviour.
>>

>> Ciao,
>> Alessandro

>
> It expires because it was not created on the member server, having said
> that, sssd should be able to update the keytab, I would suggest that
> sssd is not setup correctly and as such, I think that you need to take
> this problem to the sssd mailing list.
>
> If you decide to use winbind, which I can assure you will work, this can
> be set up to do what you need, see my previous posts
>
> Rowland

[Rowland Penny]

I have update the member server page on the wiki as per Peters advice.