Use dedicated keytab for Samba

Samba just needs the cifs/ key on the ipa server. Configure samba to use a different keytab file so that we do not risk samba commands (net, or similar) to mess up the system keytab. https://fedorahosted.org/freeipa/ticket/2168
author: Alexander Bokovoy <abokovoy@redhat.com> 2012-02-28 13:23:51 +0200
committer: Martin Kosek <mkosek@redhat.com> 2012-06-07 09:39:09 +0200
commit: dd244c02dd544f518574f45931342b97fd9e0162 (patch)
tree: 5ffa2b14913df9035aeceaddc254634345d58ddf /install/share
parent: b32204fccc280714a32d56c15f70f770df82dfbd (diff)
download: freeipa-dd244c02dd544f518574f45931342b97fd9e0162.tar.gz
freeipa-dd244c02dd544f518574f45931342b97fd9e0162.tar.xz
freeipa-dd244c02dd544f518574f45931342b97fd9e0162.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 4ab79daa5..8ed521b50 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -1,7 +1,8 @@
 [global]
 workgroup = $NETBIOS_NAME
 realm = $REALM
-kerberos method = system keytab
+kerberos method = dedicated keytab
+dedicated keytab file = FILE:/etc/samba/samba.keytab
 create krb5 conf = no
 security = user
 domain master = yes
@@ -10,6 +11,7 @@ log level = 1
 max log size = 100000
 log file = /var/log/samba/log.%m
 passdb backend = ipasam:ldapi://$LDAPI_SOCKET
+disable spoolss = yes
 ldapsam:trusted=yes
 ldap ssl = off
 ldap admin dn = $SMB_DN
author	Alexander Bokovoy <abokovoy@redhat.com>	2012-02-28 13:23:51 +0200
committer	Martin Kosek <mkosek@redhat.com>	2012-06-07 09:39:09 +0200
commit	dd244c02dd544f518574f45931342b97fd9e0162 (patch)
tree	5ffa2b14913df9035aeceaddc254634345d58ddf /install/share
parent	b32204fccc280714a32d56c15f70f770df82dfbd (diff)
download	freeipa-dd244c02dd544f518574f45931342b97fd9e0162.tar.gz freeipa-dd244c02dd544f518574f45931342b97fd9e0162.tar.xz freeipa-dd244c02dd544f518574f45931342b97fd9e0162.zip