Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources. Thus, change the defaults to a path (implies FILE: prefix) while Samba Team fixes the code to allow the access mode prefix for keytabs.
On upgrade we need to replace 'dedicated keytab file' value with the path to the Samba keytab that FreeIPA maintains. Since the configuration is stored in the Samba registry, we use net utility to manipulate the configuration:
net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
Without the change following error is visible on Fedora 25:
[2016/12/01 11:42:19.218759, 1] ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from_dedicated_keytab) ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed (Key table name malformed) [2016/12/01 11:42:19.218800, 1] ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab) ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab - -1765328205 [2016/12/01 11:42:19.218823, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR [2016/12/01 11:42:19.261611, 1] ../source3/librpc/crypto/gse_krb5.c:534(fill_mem_keytab_from_dedicated_keytab) ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed (Key table name malformed) [2016/12/01 11:42:19.261638, 1] ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab) ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab - -1765328205 [2016/12/01 11:42:19.261653, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR [2016/12/01 11:42:19.263330, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [smith] -> [smith] FAILED with error NT_STATUS_NO_SUCH_USER
master:
ipa-4-4:
Metadata Update from @abbra: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.4.3
Log in to comment on this ticket.