Generating krb5.keytab
Sergey Yanovich
ynvich at gmail.com
Thu Jun 12 12:43:23 GMT 2008
Matthieu PATOU wrote:
> Sergey Yanovich a écrit :
>> If you provisioned your installation with setup/provision, chances are
>> that {prefix}/private/krb5.keytab is the file you need.
>>
> I did a provision with a fairly recent snapshot
> (74e1dd28f2f669bc196dc16b68c8b175bf835721)
> but I don't see any krb5.keytab in my private dir.
>
> Is there any special parameters for provision ?
I just followed howto.txt to the letter. I am out of office, and the
test box is switched off, so I cannot immediately provide exact answer.
The file may have a different name, like secrets.keytab or similar.
'ktutils' from Debian's heimdal-clients package was able to rename
entries there from MYHOST$@REALM.NET to host/myhost.realm.net at REALM.NET,
and I was able to ssh to the Samba4 server, and ldaptools
(ldap{add/modify/search}) were also able to authenticate using
GSSAPI/Kerberos.
If you need to create keytab for a host other than your server, you need
to play a bit with {prefix}/bin/ldbedit or ldbadd on your server like
Andrew said in his reply to your original post. Samba is internally
using ldbadd to register new hosts, and it creates Kerberos principals
for the hosts. Having a 'krb5Keytab' ldap attribute in the query will
create a keytab at the address the attribute points to.
--
Sergey Yanovich
Abstract Accounting Ltd.
http://aasii.org/
More information about the samba-technical
mailing list