Chase Whitener <[email protected]> writes: > We have a 2008r2 AD domain. We join Linux machines as domain members using > Samba with Winbind (I'll show all of my config files below). This portion > of our setup works without failures of any kind. However, some of these > machines are web servers for Intranet stuff and we'd like to have SSO > working. For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a > keytab file). So, since we're already joining the machines to the domain > with Samba, we thought it would be smart to just generate the keytab files > with net ads. > > export KRB5_KTNAME=FILE:/etc/www.keytab > net ads keytab create -Udomain-admin (requires a password, so this can't be > scripted and run in cron) > net ads keytab add HTTP -Udomain-admin (requires a password, so this can't > be scripted and run in cron) > unset KRB5_KTNAME > chown apache /etc/www.keytab > service httpd restart > > However, when Samba changes the machine account's password (seemingly > randomly), those keytab files are no longer valid and have to be > regenerated. Is there some way for those keytab files to be updated > automatically when Samba updates the machine account, or some setting to > stop Samba from updating that password? And alternatively, are we doing > things in a completely wrong way? I apologize for writing a book here, but > without all of the background info, you may not be able to help. Here's my > config files for a machine:
Hi Chase, I did not see an answer to your question and would like to ask if you received any help with your problem or solved it some other way. Regards, Dirk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
