On 12-10-17 14:11, Alexander Bokovoy wrote: > On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> This > week I tried to install Samba (which failed because of Ubuntu, but that's >> > another story). >> >> One of the steps was to do ipa-adtrust-install. It > created a cifs/myhost pricipal >> on my IPA master server. >> >> But now it > keeps switching my default pricipal to cifs/myhost@MYREALM (and >> in this > case I'm root). > What is your distribution? Ubuntu 16.04
> > The reason I ask is because on Fedora, RHEL 7, and CentOS 7 we do have > > > Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba Yes, that's probably it. (See response to Sumit) > > line in smb.service (and in winbind.service): > > # systemctl cat > > winbind.service |grep krb5cc_samba > > > Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba > > This forces smbd > > and winbindd to use a specific Kerberos ccache file > instead of a default > > one. Since they run as root their default ccache > would otherwise be the > > one that root as user uses. Samba is not setup via systemd on Ubuntu. But I certainly can figure out what to do. Thanks anyway. > >> >> Next I do destroy -A, and a new kinit admin. >> >> root@rotte:~# > >> >> kdestroy -A >> root@rotte:~# klist >> klist: Credentials cache keyring > >> >> 'persistent:0:krb_ccache_SF0wnkh' not found >> root@rotte:~# kinit > >> >> admin >> Password for ad...@ghs.nl: >> root@rotte:~# klist >> Ticket > >> >> cache: KEYRING:persistent:0:krb_ccache_SF0wnkh >> Default principal: > >> >> ad...@ghs.nl >> >> Valid starting Expires Service principal >> 12-10-17 > >> >> 11:39:10 13-10-17 11:39:05 krbtgt/ghs...@ghs.nl >> >> Great, this is > >> >> what I expected. But ... within 5 minutes >> >> root@rotte:~# klist >> > >> >> Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh >> Default > >> >> principal: cifs/rotte.ghs...@ghs.nl >> >> Valid starting Expires > >> >> Service principal >> 12-10-17 11:42:10 13-10-17 11:42:10 > >> >> ldap/rotte.ghs...@ghs.nl >> 12-10-17 11:42:10 13-10-17 11:42:10 > >> >> krbtgt/ghs...@ghs.nl >> >> Argh, who/what is doing this? >> -- >> Kees > >> >> Bakker >> _______________________________________________ >> > >> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
