On Thu, Oct 12, 2017 at 11:47:26AM +0200, Kees Bakker via FreeIPA-users wrote: > Hey, > > This week I tried to install Samba (which failed because of Ubuntu, but that's > another story). > > One of the steps was to do ipa-adtrust-install. It created a cifs/myhost > pricipal > on my IPA master server. > > But now it keeps switching my default pricipal to cifs/myhost@MYREALM (and > in this case I'm root). > > Next I do destroy -A, and a new kinit admin. > > root@rotte:~# kdestroy -A > root@rotte:~# klist > klist: Credentials cache keyring 'persistent:0:krb_ccache_SF0wnkh' not found > root@rotte:~# kinit admin > Password for ad...@ghs.nl: > root@rotte:~# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh > Default principal: ad...@ghs.nl > > Valid starting Expires Service principal > 12-10-17 11:39:10 13-10-17 11:39:05 krbtgt/ghs...@ghs.nl > > Great, this is what I expected. But ... within 5 minutes > > root@rotte:~# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh > Default principal: cifs/rotte.ghs...@ghs.nl > > Valid starting Expires Service principal > 12-10-17 11:42:10 13-10-17 11:42:10 ldap/rotte.ghs...@ghs.nl > 12-10-17 11:42:10 13-10-17 11:42:10 krbtgt/ghs...@ghs.nl > > Argh, who/what is doing this?
I guess it is smbd/winbind doing this. Please make sure the Samba components will use an individual credential cache and not use the default credential cache of the user they are running as. You do this by setting the KRB5CCNAME environment variable. E.g. on Fedora the systemd service file looks like: """ [Unit] Description=Samba Winbind Daemon After=syslog.target network.target nmb.service [Service] Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba Type=notify NotifyAccess=all PIDFile=/run/winbindd.pid EnvironmentFile=-/etc/sysconfig/samba ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" ExecReload=/usr/bin/kill -HUP $MAINPID LimitCORE=infinity [Install] WantedBy=multi-user.target """ Please note the 'Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba' line. If you are using SysV init scripts you should add 'export KRB5CCNAME=FILE:/run/samba/krb5cc_samba' or similar at a suitable place in the script. HTH bye, Sumit > -- > Kees Bakker > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
