Hi, Ok, I did not have 'netbios name' in my smb.conf (which is a simple 4-liner). I added it but it did not make any difference. In summary, it fills my keytab with entries like (as per klist -k -K):
<someones_username>/<myhost>@<KERBEROS_REALM> Or <some_hostname>/<myhost>@<KERBEROS_REALM> Where <someones_username> is a username of someone in AD and <some_hostname> is a hostname of some machine joined to AD. This command actually runs for a very long time, generating very big keytab - I guess if I left it running (I break it via Ctrl-C after a minute or so), it would eventually populate my keytab with all accounts in AD. Whereas I would expect this would actually do: <MYHOST$>@<KERBEROS_REALM> + all SPNs set in AD, i.e: Host/<myhost>@<KERBEROS_REALM> Nfs/<myhost>@<KERBEROS_REALM> Shall I send you the debug log (I would rather send it to you directly as it contains sensitive information). My samba version: samba-client-libs-4.4.4-12.el7_3.x86_64 samba-common-tools-4.4.4-12.el7_3.x86_64 samba-common-libs-4.4.4-12.el7_3.x86_64 samba-client-4.4.4-12.el7_3.x86_64 samba-common-4.4.4-12.el7_3.noarch samba-libs-4.4.4-12.el7_3.x86_64 Thanks, Ondrej -----Original Message----- From: Sumit Bose [mailto:sb...@redhat.com] Sent: Monday, July 09, 2018 4:55 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file On Mon, Jul 09, 2018 at 02:20:31PM +0000, Ondrej Valousek wrote: > Thanks, > "net ads keytab create" does work, but it populates my keytab with all > accounts (user and computer) that can be found in AD - i.e. pretty dangerous. > I would like to add it some parameter to only will with entries relevant for > my computer - i.e. something like: > > Net ads keytab create --only-obj <my_hostname> > > Which would add UPN and SPN (both can be easily grabbed from AD) related to > my hostname. Do you have 'netbios name' set in your smb.conf? This is where net should got your hostname from. You can '-d 10' to see in more details what net is doing. Nevertheless all the entries it currently creates should use the same keys based on the host password stored by Samba. You can check this with 'klist -k -K -e'. bye, Sumit > > Ondrej > > -----Original Message----- > From: Sumit Bose [mailto:sb...@redhat.com] > Sent: Monday, July 09, 2018 3:57 PM > To: sssd-users@lists.fedorahosted.org > Subject: [SSSD-users] Re: recreate machine keytab file > > On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote: > > Hi List, > > > > Is there any way how can we recreate system keytab file of a machine joined > > to AD if the file has been broken/deleted? > > I want to avoid doing join again as this would probably delete the existing > > account (with all attributes we have set). > > Thanks, > > If you used 'net ads join' to join then 'net ads keytab create' might work > for you because Samba can recover the keytab with the help of the stored > plain text password. > > With 'adcli update' you have to kinit first as a use which can update the > password and then use the --login-ccache option because chances are you > cannot kinit with the keytab anymore. But you should use an account which is > only allowed to update the password because otherwise adcli might try to > update other attributes as well. > > On AD you can use the ktpass.exe utility to export a fresh keytab. > > HTH > > bye, > Sumit > > > > > Ondrej > > > > ----- > > > > The information contained in this e-mail and in any attachments is > > confidential and is designated solely for the attention of the intended > > recipient(s). If you are not an intended recipient, you must not use, > > disclose, copy, distribute or retain this e-mail or any part thereof. If > > you have received this e-mail in error, please notify the sender by return > > e-mail and delete all copies of this e-mail from your computer system(s). > > Please direct any additional queries to: communicati...@s3group.com. Thank > > You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland > > no. 378073. Registered Office: South County Business Park, Leopardstown, > > Dublin 18. > > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org To > > unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedor > > ah osted.org/message/O7COHRTHRQCYG6BKUMVWBBVTA6ZU6LAZ/ > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org To > unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah > osted.org/message/Z6AV3THJ6J6IELOAFKJO22PX6IB73JES/ > > ----- > > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If you > have received this e-mail in error, please notify the sender by return e-mail > and delete all copies of this e-mail from your computer system(s). Please > direct any additional queries to: communicati...@s3group.com. Thank You. > Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. > 378073. Registered Office: South County Business Park, Leopardstown, Dublin > 18. > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org To > unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah > osted.org/message/C6RRA57W3S3ZD7Q3CNOMRKCF5OSVTL3M/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/2P6ANVCK4BLIQOAITLBYFJ7HDHS357P4/ ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/NY673RW3KEVHR7TKB4TIFNQMOWRSFBS7/
