Kerberos and AD joins
Gerald (Jerry) Carter
jerry at samba.org
Wed Mar 9 20:20:33 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wachdorf, Daniel R wrote:
| We currently have a large Kerberos infrastructure in place. As part of
| this we have Kerberized SSH in place. We have created a tool to create
| computer type accounts in Active Directory. We set the userPrincpalName
| to host/HOSTNAME at REALM and the servicePrincipalName to host/HOSTNAME.
| (This seems to function much like the "net ads join" command.) We then
| set the password for the computer and write out a Kerberos keytab file
| to /etc/krb5.keytab to allow Kerberos authentication with SSH.
|
| The "net ads join" command doesn't seem to create a keytab, but rather
| creates the secrets.tdb file which appears to store the password used to
| create the computer account.
keytab support was added around Samba 3.0.5 or so. See
'use kerberos keytab' in smb.conf(5).
cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back." Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCL1qRIR7qMdg1EfYRAlQQAJ9yvdvZTcN4VeyyxxY13kxG19a1NwCgrnQc
Sw7kPGYO8aJgGOtBafZc5/g=
=nrOZ
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list