samba-generated keytab and ldap
Anthony Liguori
aliguori at us.ibm.com
Mon Aug 2 17:59:34 GMT 2004
On Mon, 2004-08-02 at 11:08, Thomas Muders wrote:
> What I want to do is: make a kinit with the computer account to update
> certain LDAP attributes in the Active Directory. I tried obtaining a ticket
> with kinit -k -t but I could not figure out how (or if) it is possible to
> get a TGT for then doing ldapmodify -Y gssapi. It must be possible somehow,
> otherwise Samba could not search LDAP successfully with net ads search :-)
> (or does that use a password cached in a tdb file? I use "use kerberos
> keytab = yes).
I believe we use GSS-SPNEGO for SASL in Samba which is not supported by
the default SASL. However, you should be able to do raw Kerberos for an
LDAP search against AD. There's plenty of info on the internet about
doing this.
> after updating to a never SVN snapshot. As we changed the DNS: is there any
> known problem with MIT Kerberos if the reverse DNS name is not equal to the
> host name?
Absolutely. This is not a known problem but a feature. See the MIT
documentation. I do not think that Heimdal institutes the same
requirement...
> Then an important detail: Our Windows (2K3) Domain name is ZDV-MAINZ.DE,
> but the FQDN of the host is bender.zdv.zdv-mainz.de. Samba creates in the
> AD an SPN of the form HOST/bender.zdv-mainz.de, but in the keytab it shows
> up as HOST/bender.zdv.zdv-mainz.de at ZDV-MAINZ.DE. Likewise with CIFS and
> FTP. This could be source of problems too.
AD maintains equivalent SPNs. See a recent note on this list (from Luke
Howard I think) for a detailed list of all the different SPNs.
> I hope my mail was not too unstructured, but it would be absolutely great
> if I could get those working. Actually it does not have to be kerberized
> ftp, only I use that as a test; later maybe we want to use kerberized lpr
> or sshd.
> If you need more details, pls request them.
> As a CIFS Fileserver, it runs like a charm, I am really happy with it :-)
>
> best regards,
> Thomas
--
Anthony Liguori
Samba, Linux/Windows Interoperability
Linux Technology Center (LTC) - IBM Austin
E-mail: aliguori at us.ibm.com
Phone: (512) 838-1208
Tie Line: 678-1208
More information about the samba-technical
mailing list