[Samba] Samba 4 krb5.keytab confusion
Michael Wood
esiotrot at gmail.com
Mon Jan 9 03:50:08 MST 2012
On 9 January 2012 12:34, steve <steve at steve-ss.com> wrote:
> On 01/09/2012 09:47 AM, Gémes Géza wrote:
[...]
>>> samba-tool user add steve4
>>> (the spn stuff you mention doesn't seem to be needed?)
>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
>>
>> You don't need the last step (see before).
>
> OK, I'm understanding this a little more. So how can I remove steve4 from
> the keytab?
Don't bother trying to do that. Just create a new keytab file with
only the relevant stuff for NFS in it.
>>> for nfs I did this:
>>> samba-tool spn add nfs/HH3.SITE Administrator
>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=nfs/HH3.SITE
>>>
>> That (the spn stuff) would work but it is BAD PRACTICE (it contradicts the
>> least privilege principle) you shouldn't give your nfs server the right to
>> administer your whole domain. You should create an account for nfs (e.g.
>> nfs-service-account or whatever) and for any kerberized service/host in
>> your domain. I now it is more work, but security-wise that is the right
>> solution.
>
>
> I can see your point. So I do:
> samba-tool user add nfs-service-account
> samba-tool spn add nfs/HH3.SITE nfs-service account
>
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=nfs/HH3.SITE
>
> But it's going to tell me that the nfs is already there no? So the question
> is, how do I remove the nfs principal I created before as Administrator?
Try: samba-tool spn list ..., samba-tool spn delete ...
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list