samba-generated keytab and ldap

Thomas Muders muders at
Tue Aug 3 15:19:25 GMT 2004


--On Montag, 2. August 2004 12:59 -0500 Anthony Liguori 
<aliguori at> wrote:

> On Mon, 2004-08-02 at 11:08, Thomas Muders wrote:
>> What I want to do is: make a kinit with the computer account to update
>> certain LDAP attributes in the Active Directory. I tried obtaining a
>> ticket  with kinit -k -t but I could not figure out how (or if) it is
>> possible to  get a TGT for then doing ldapmodify -Y gssapi. It must be
>> possible somehow,  otherwise Samba could not search LDAP successfully
>> with net ads search :-)  (or does that use a password cached in a tdb
>> file? I use "use kerberos  keytab = yes).
> I believe we use GSS-SPNEGO for SASL in Samba which is not supported by
> the default SASL.  However, you should be able to do raw Kerberos for an
> LDAP search against AD.  There's plenty of info on the internet about
> doing this.

Hmm maybe I was not clear enough. Actually, what I'd like to have would be 
something like

"net ads kinit -P"  -- makes a kinit with the machine account

because I could not get a tgt with the "normal" kinit + the keytab.
would it be sensible to include such an option?

Searching LDAP was anyway no problem with net ads search, I want to MODIFY 
(that doesn't work with the net command) or do different things requiring a 
kerberos ticket.

> Absolutely.  This is not a known problem but a feature.  See the MIT
> documentation.  I do not think that Heimdal institutes the same
> requirement...

thanks, that was it, the kerberized FTP works again.

best regards,

muders at Uni-Mainz.DE        |  Johannes Gutenberg-Universität Mainz
Systemabteilung/Unix       |         Zentrum für Datenverarbeitung
Tel: +49-6131-39-26015     |                           55099 Mainz
Fax: +49-6131-39-56015     |                 Tel: +49-6131-3926300

More information about the samba-technical mailing list