samba-generated keytab and ldap
Thomas Muders
muders at uni-mainz.de
Tue Aug 3 15:19:25 GMT 2004
Hello,
--On Montag, 2. August 2004 12:59 -0500 Anthony Liguori
<aliguori at us.ibm.com> wrote:
> On Mon, 2004-08-02 at 11:08, Thomas Muders wrote:
>
>> What I want to do is: make a kinit with the computer account to update
>> certain LDAP attributes in the Active Directory. I tried obtaining a
>> ticket with kinit -k -t but I could not figure out how (or if) it is
>> possible to get a TGT for then doing ldapmodify -Y gssapi. It must be
>> possible somehow, otherwise Samba could not search LDAP successfully
>> with net ads search :-) (or does that use a password cached in a tdb
>> file? I use "use kerberos keytab = yes).
>
> I believe we use GSS-SPNEGO for SASL in Samba which is not supported by
> the default SASL. However, you should be able to do raw Kerberos for an
> LDAP search against AD. There's plenty of info on the internet about
> doing this.
Hmm maybe I was not clear enough. Actually, what I'd like to have would be
something like
"net ads kinit -P" -- makes a kinit with the machine account
because I could not get a tgt with the "normal" kinit + the keytab.
would it be sensible to include such an option?
Searching LDAP was anyway no problem with net ads search, I want to MODIFY
(that doesn't work with the net command) or do different things requiring a
kerberos ticket.
> Absolutely. This is not a known problem but a feature. See the MIT
> documentation. I do not think that Heimdal institutes the same
> requirement...
thanks, that was it, the kerberized FTP works again.
best regards,
Thomas
--
muders at Uni-Mainz.DE | Johannes Gutenberg-Universität Mainz
Systemabteilung/Unix | Zentrum für Datenverarbeitung
Tel: +49-6131-39-26015 | 55099 Mainz
Fax: +49-6131-39-56015 | Tel: +49-6131-3926300
More information about the samba-technical
mailing list