S3 machine account and keytab
Matthieu Patou
mat+Informatique.Samba at matws.net
Mon Mar 22 04:15:14 MDT 2010
On 22/03/2010 00:17, simo wrote:
> On Sun, 2010-03-21 at 22:58 +0300, Matthieu Patou wrote:
>
>> Hello,
>>
>> This is not 100% a technical question feel free to throw me to #samba ...
>> I'm thinking to use kerberised ssh, for this I need a principal and a
>> keytab. I was first thinking to add the ssh/hostname at REALM to the
>> machine account and then export the keytab. But I think it will be a
>> problem when the password change as the kvno won't be ok.
>>
> ssh uses host/fqdn at REALM
>
Yeah you're right I thought it was ssh/fqdn at REALM but it's not !
>
>> Of course there is the option to not make the password of the
>> workstation expire but somehow I don't think it's a very good idea (am I
>> wrong ?).
>>
>> Is there an option for an host to export his password + principal as a
>> keytab ?
>>
> I guess you want to look at the "kerberos method" option.
>
Well net ads keytab is a good thing but it keeps asking me a password
for generating the keytab. There is no way for root to (re)generate the
keytab without regenerating one ?
Also net ads keytab create do not put fqdn, but just the shortname.
Matthieu.
More information about the samba-technical
mailing list