samba4 keytab management
Matthieu Patou
mat at samba.org
Fri Aug 27 16:15:47 MDT 2010
Hello,
> How do I get this done? I am trying to get ssh working with GSSAPI. Reading previous messages here, I added a krb5Keytab attribute
> to the host/xyz at REALM entry in secrets.ldb. This created a /etc/krb5.keytab file. However the principal listed there is in the form:
>
> HOST at REALM, rather than host/hostname at REALM.
What are you trying to do exactly ? have ssh + GSSAPI on the s4 server
or on another server ?
For the samba4 dc you don't need a krb5keytab nor a serviceprincipalname
as Samba is able to figure out that if you need a ticket for principal
host/xyz at REALM that he can manage to do it with "just" the principal
xyz at REALM.
So you basically need to have a keytab with a host/xyz at REALM entry.
The best in fact is to create a technical account and add a
serviceprincipalname like host/xyz at REALM.
Then use ktpass.sh in scripting/bin to generate the keytab.
> I have tried renaming HOST at REALM to host/hostname at REALM with ktutil but it does not produce any result. And sshd is still prompting for
> password. From the sshd logs:
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Key table entry not found
>
> Is there a procedure for generating new principals like imap/xyz at REALM, and putting it into a keytab file?
>
> Thanks!
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list