Generating krb5.keytab

Andrew Bartlett abartlet at
Thu Jun 19 09:35:48 GMT 2008

On Thu, 2008-06-19 at 11:17 +0300, Sergey Yanovich wrote:
> Andrew Bartlett wrote:
> > On Thu, 2008-06-19 at 02:11 +0300, Sergey Yanovich wrote:
> >> Thanks for the links. Did I understand correctly, that OpenLDAP backend 
> >> is important mostly as a replication facility?
> > 
> > Yes.  Also very interesting is Fedora DS, which has multi-master
> > replication.  While I've talked about OpenLDAP, we are not wedded to a
> > particular LDAP backend, just any backend that implements what we need.
> If multi-master (or -peer) replication is suitable, MySQL also has 
> cluster database engine. From what I've heard about AD, it is a forest 
> of multiple sites (trees), each tree has a single authoritative KDC, 
> optional backups, and a global catalog, which is a partial slave replica 
> of all trees in the forest. My impression was, this is better of with 
> master-slave replication.

AD is fully multi-master, with a few tasks (schema, RID allocation)
being centralised on floating masters.  

> >> MySQL has exceptional master-slave replication. I'll focus on MySQL 
> >> back-end for ldb for now.
> > 
> > Then do look at the sqlite3 backend.  
> > 
> > Perhaps you could explain again why you need the MySQL backend?  I would
> > not expect a ldb_mysql to have a useful table layout for anything else
> > to read/write...
> The goal is simple as stated in that presentation: "One account for one 
> person". Accounting package requires an industrial grade RDBMS, and 
> MySQL is the most suitable FOSS implementation. Even though, it doesn't 
> provide built-in row-level access control, so I am going to implement 
> that. To satisfy one-for-one objective, my implementation should extend 
> domain management database. Samba4 is very promising as cross-platform 
> domain controller. So I should figure out, how to put Samba4 database 
> into MySQL.

The OpenLDAP backend may well be the best way to do this.  Simply use it
instead of OpenLDAP's hdb.  Don't worry about the master/slave issues in
the short-term, just get it to work at all (then you can have OpenLDAP
chain the updates, for example). 

You would be quite valid to have Samba4 be fairly 'read only' for some
things in this situation, as this custom setup would be geared towards
administration from the accounting package side.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list