From: Anton on

Should the system keytab need to be world readable to be able to
authenticate via winbind as a remote kerberos user?

I don't seem to remember this being required in Samba 3.3 or earlier
(but I could be wrong about that). And I didn't think it was a
recommended configuration.

Is this likely to be distro specific?

Background info:

I've recently had problems logging into an Active Directory domain
(SBS 2003 with SFU 3.5 schema extensions) on a new Ubuntu 10.04 which
uses winbind 3.4.7.

I successfully joined the domain, and created a keytab using the
following commands:

net ads join -U domainadministrator createupn
net ads testjoin
net ads keytab create -U domainadministrator

I added winbind to nssswitch.conf and ran pam-auth-update to use the
winbind profile to configure /etc/pam.d/common*. pam_winbind had the
krb5_auth and krb5_ccache_type=FILE options set (by pam-auth-update).

With sudo and a dummy local account I could successfully kinit with
both my domain user principle and the system keytab service principals
and the computers UPN.

I could successfully run wbinfo -u and wbinfo -g and well as getent
passwd and getent group.

The first sign of trouble was that I needed sudo to successfully run
wbinfo -K to authenticate my domain account

I could not log in with pam_winbind either.

It turned out that my domain user account needed read access to the
system keytab (/etc/krb5.keytab). By default the system keytab was
owned by root:root and had 0600 permissions - which I seem to recall
is the recommended permissions for that file, and I vaguely remember
working in earlier Samba versions.

Once the keytab was world readable, domain accounts could successfully log in.

/etc/samba/smb.conf (if relevant)

workgroup = EXAMPLE
preferred master = no
security = ADS

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind nss info = sfu
winbind offline logon = true
winbind refresh tickets = true

idmap backend = tdb
idmap uid = 50000 - 50999
idmap gid = 50000 - 50999
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:readonly = yes
idmap config EXAMPLE:default = yes
idmap config EXAMPLE:schema_mode = sfu
idmap config EXAMPLE:range = 10000 - 19999

template shell = /bin/bash
template homedir = /home/%U
kerberos method = system keytab

Thanks for any insight :)

To unsubscribe from this list go to the following URL and read the