My first experience with SSSD for SFTP authentication was having a higly critical
system's authentication going off because I didn't know about adcli, so I
didn't install it. After exactly 30 days, the AD server changed that machine
account's password, but the linux server didn't. Those were rough days. So,
I'm pretty sure that updating the machine account's password is a must unless you
disable password age on your AD
domain:https://support.microsoft.com/en-us/help/154501/how-to-disable-aut...
Regarding the smb.conf, for some reason I never got "kerberos method = system
keytab" to work. I had to set either "kerberos method = dedicated
keytab"or "kerberos method = secrets and keytab" along with the
keytab's path.
Looks like samba can't find the "system tab", even though it's in
/etc/krb5.keytab.
I will consider this set up and let you know if I ever get it working.
Em sexta-feira, 12 de outubro de 2018 17:23:01 BRT, Erinn Looney-Triggs
<erinn.looneytriggs(a)gmail.com> escreveu:
Also as another data point there is another thread currently going on in this mailing
list:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
that seems to imply that the machine password DOES need to be changed periodically.
I honestly don't know the answer on this one, again from my research it appears unless
there is custom software in the AD that removes systems if their entries are not
'fresh' enough then machines should not need to have their passwords changed, it
appears to be a client requirement in windows not an AD enforced requirement, see here:
https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-pass...
I certainly hope I am right on this one, otherwise I am going to have ~600 systems that
are going to have a hell of a time logging in very soon :). I hope that adcli patches come
through to RHEL soon so I can just have both the keytab and the secrets.tdb updated by one
program and everything will be kept in sync. It would seem to me that it is a really good
idea to change the machine password, but as mentioned right now there appears to be no
reliable way to do that.
-Erinn
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...