On 12-10-17 12:05, Sumit Bose via FreeIPA-users wrote: > On Thu, Oct 12, 2017 at 11:47:26AM +0200, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> This week I tried to install Samba (which failed because of Ubuntu, but >> that's >> another story). >> >> One of the steps was to do ipa-adtrust-install. It created a cifs/myhost >> pricipal >> on my IPA master server. >> >> But now it keeps switching my default pricipal to cifs/myhost@MYREALM (and >> in this case I'm root). >> >> Next I do destroy -A, and a new kinit admin. >> >> root@rotte:~# kdestroy -A >> root@rotte:~# klist >> klist: Credentials cache keyring 'persistent:0:krb_ccache_SF0wnkh' not found >> root@rotte:~# kinit admin >> Password for [email protected]: >> root@rotte:~# klist >> Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 12-10-17 11:39:10 13-10-17 11:39:05 krbtgt/[email protected] >> >> Great, this is what I expected. But ... within 5 minutes >> >> root@rotte:~# klist >> Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh >> Default principal: cifs/[email protected] >> >> Valid starting Expires Service principal >> 12-10-17 11:42:10 13-10-17 11:42:10 ldap/[email protected] >> 12-10-17 11:42:10 13-10-17 11:42:10 krbtgt/[email protected] >> >> Argh, who/what is doing this? > I guess it is smbd/winbind doing this.
Correct. When I stop winbind the behavior goes away. > Please make sure the Samba > components will use an individual credential cache and not use the > default credential cache of the user they are running as. > > You do this by setting the KRB5CCNAME environment variable. E.g. on > Fedora the systemd service file looks like: > > """ > [Unit] > Description=Samba Winbind Daemon > After=syslog.target network.target nmb.service > > [Service] > Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba > Type=notify > NotifyAccess=all > PIDFile=/run/winbindd.pid > EnvironmentFile=-/etc/sysconfig/samba > ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" > ExecReload=/usr/bin/kill -HUP $MAINPID > LimitCORE=infinity > > [Install] > WantedBy=multi-user.target > """ > > Please note the 'Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba' > line. If you are using SysV init scripts you should add 'export > KRB5CCNAME=FILE:/run/samba/krb5cc_samba' or similar at a suitable place > in the script. > > HTH Yes it does. Thanks. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
