question about service principals (samba4)

Andrew Bartlett abartlet at samba.org
Tue Sep 21 17:39:33 MDT 2010 

On Tue, 2010-09-21 at 16:58 -0400, Aaron Solochek wrote:
> I can see in ldap that computer objects have service principals associated with
> them, however, I can't seem to use them.
> 
> I did a dump of the keys on the server with a net export keytab, and it didn't
> populate that keytab with the service principals as I'd hoped.  Thinking that
> the service principals might be aliases for the actual machine account
> principal, I tried renaming the key FOO$ to host/foo in that keytab and then
> tried authenticating with it, but it told me host/foo was not found in the
> database.
> 
> My past experience with kerberos is all with heimdal and MIT krb, so I don't
> know in what ways I should expect things to be different with windows or samba
> KDC, but I do assume there is some way to get host/foo and nfs/foo keys so I can
> start deploying some kerberized services.  I was hoping the servicePrincipalName
> entries did some sort of magic for me, but failing that, I suppose I need to
> create completely separate accounts for each service principal I want.
> 
> Also, what is the canonical way to extract a keytab containing only keys I
> specify?  

I hope to add extensions to our keytab management code to automatically
populate a keytab soon.  My idea is to allow servicePrincipalName to be
specified in the secrets.ldb entries. 

> And related to that, will samba4 ever support a kadmin interface,
> because that would be awesome.

We could, quite easily actually, but I've avoided doing so.  It would
tie us to our current choice of Kerberos implementation in a way that is
exposed to our users.  If there is a real desire, then I'm willing to
allow it - it just means building a little more of Heimdal.

(The problem is that the kadmin tool and protocol is not the same
between MIT and Heimdal)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100922/96b6f848/attachment.pgp>

More information about the samba-technical mailing list