[Samba] nslcd: kerberos vs. simple bind
Marc Muehlfeld
samba at marc-muehlfeld.de
Wed Aug 28 11:27:39 MDT 2013
Am 28.08.2013 19:11, schrieb steve:
> If you're happy with plain text passwords being passed over the network
> then use them. There may be some admins that will not be able to do that
> though, so. . .
Ok. This is an good argument I haven't tought about. In production I
have used LDAPS. But the HowTo is currently describing it in plain text,
right.
> You may want to kerberise it. It's very easy: you don't need to create
> anything new. Just use an object you already have. You always have a
> machine key for example.
Good idea with the machine key.
If I use the machine account, then I have to re-export the keytab if I
rejoin the machine, right?
> On the DC, you'll have to extract its keytab
> but otherwise, away you go:
>
> k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K
> 360 -k /tmp/nslcd.tkt &
>
> If you need to be up more than 10 hours a day and if you don't like
> k5start, cron it.
>
> The clients already have the keytab so nothing else to do.
> HTH
Thanks for that information. It clarifies some questions that came up
with the first Kerberos tries.
Regards,
Marc
More information about the samba
mailing list