Hi List,
Just trying to make sssd working in the diskless environment. As such, I need to create Kerberos keytab on non-standard location: Krb5.conf:
[libdefaults] default_keytab_name = /var/lib/sss/krb5.keytab
But when I try to join domain via "net -d 10 ads join", I get this: .... smb_krb5_open_keytab: krb5_kt_default_name returned FILE:/etc/krb5.keytab smb_krb5_open_keytab: resolving: WRFILE:/etc/krb5.keytab ....
? Looks like samba successfully ignores the default_keytab_name parameter
Does anyone know what could be wrong? Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
Just trying to make sssd working in the diskless environment. As such, I need to create Kerberos keytab on non-standard location:
You considered just using tmpfs to have it in the standard location? That's the standard stateless linux diskless way of doing things, and has always worked out ok for me.
jh
Yes, I am using it heavily, but not for /etc. I need /etc to stay read-only so that it could be shared by multiple compute nodes. Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: Thursday, April 30, 2015 11:40 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] net ads join & custom keytab
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
Just trying to make sssd working in the diskless environment. As such, I need to create Kerberos keytab on non-standard location:
You considered just using tmpfs to have it in the standard location? That's the standard stateless linux diskless way of doing things, and has always worked out ok for me.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
Yes, I am using it heavily, but not for /etc. I need /etc to stay read-only so that it could be shared by multiple compute nodes.
You can effectively do it for single files. On CentOS you can look at rc.sysinit, and the "mount_files" function.
You'll not /etc/rwtab lists things like /etc/resolv.conf, so you don't have to hit all of /etc.
jh
I know. The thing is, that krb5.keytab can't go to rwtab - it would have to go to statetab (I need this file survives a reboot). Unfortunately, statetab does not seem to handle single files correctly... :(
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: Thursday, April 30, 2015 11:54 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] net ads join & custom keytab
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
Yes, I am using it heavily, but not for /etc. I need /etc to stay read-only so that it could be shared by multiple compute nodes.
You can effectively do it for single files. On CentOS you can look at rc.sysinit, and the "mount_files" function.
You'll not /etc/rwtab lists things like /etc/resolv.conf, so you don't have to hit all of /etc.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On 30/04/15 10:58, Ondrej Valousek wrote:
I know. The thing is, that krb5.keytab can't go to rwtab - it would have to go to statetab (I need this file survives a reboot). Unfortunately, statetab does not seem to handle single files correctly... :(
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: Thursday, April 30, 2015 11:54 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] net ads join & custom keytab
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
Yes, I am using it heavily, but not for /etc. I need /etc to stay read-only so that it could be shared by multiple compute nodes.
You can effectively do it for single files. On CentOS you can look at rc.sysinit, and the "mount_files" function.
You'll not /etc/rwtab lists things like /etc/resolv.conf, so you don't have to hit all of /etc.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi, are you using samba ? if so you could try investigating 'dedicated keytab'
Rowland
On Thu, Apr 30, 2015 at 09:35:33AM +0000, Ondrej Valousek wrote:
Hi List,
Just trying to make sssd working in the diskless environment. As such, I need to create Kerberos keytab on non-standard location: Krb5.conf:
[libdefaults] default_keytab_name = /var/lib/sss/krb5.keytab
But when I try to join domain via "net -d 10 ads join", I get this: .... smb_krb5_open_keytab: krb5_kt_default_name returned FILE:/etc/krb5.keytab smb_krb5_open_keytab: resolving: WRFILE:/etc/krb5.keytab ....
? Looks like samba successfully ignores the default_keytab_name parameter
Please have a look at man smb.conf and look for 'dedicated keytab file' and 'kerberos method'. If you do not have a smb.conf in your setup you can give to options directly to the net command with the --option option (many different kind of options :-)
HTH
bye, Sumit
Does anyone know what could be wrong? Thanks,
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
I know. The thing is, that krb5.keytab can't go to rwtab - it would have to go to statetab (I need this file survives a reboot). Unfortunately, statetab does not seem to handle single files correctly... :(
Shame, it definitely looks like it tries to:
for file in /etc/statetab /etc/statetab.d/* ; do is_ignored_file "$file" && continue [ ! -f "$file" ] && continue if [ -f "$STATE_MOUNT/$file" ] ; then mount -n --bind "$STATE_MOUNT/$file" "$file" fi
jh
Yes, it tries. It even looks like it is mounted correctly, but it's not. Not sure where the problem is....
Re: dedicated keytab - will give it a try. It will probably work - but still, Samba should honor the default_keytab_name parameter in krb5.conf, right? :) Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien Sent: Thursday, April 30, 2015 12:14 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] net ads join & custom keytab
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
I know. The thing is, that krb5.keytab can't go to rwtab - it would have to go to statetab (I need this file survives a reboot). Unfortunately, statetab does not seem to handle single files correctly... :(
Shame, it definitely looks like it tries to:
for file in /etc/statetab /etc/statetab.d/* ; do is_ignored_file "$file" && continue [ ! -f "$file" ] && continue if [ -f "$STATE_MOUNT/$file" ] ; then mount -n --bind "$STATE_MOUNT/$file" "$file" fi
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org