S3 machine account and keytab

simo idra at samba.org
Mon Mar 22 06:35:47 MDT 2010


On Mon, 2010-03-22 at 13:15 +0300, Matthieu Patou wrote:
> On 22/03/2010 00:17, simo wrote:
> > On Sun, 2010-03-21 at 22:58 +0300, Matthieu Patou wrote:
> >    
> >> Hello,
> >>
> >> This is not 100% a technical question feel free to throw me to #samba ...
> >> I'm thinking to use kerberised ssh, for this I need a principal and a
> >> keytab. I was first thinking to add the ssh/hostname at REALM to the
> >> machine account and then export the keytab. But I think it will be a
> >> problem when the password change as the kvno won't be ok.
> >>      
> > ssh uses host/fqdn at REALM
> >    
> Yeah you're right I thought it was ssh/fqdn at REALM but it's not !
> 
> >    
> >> Of course there is the option to not make the password of the
> >> workstation expire but somehow I don't think it's a very good idea (am I
> >> wrong ?).
> >>
> >> Is there an option for an host to export his password + principal as a
> >> keytab ?
> >>      
> > I guess you want to look at the "kerberos method" option.
> >    
> Well net ads keytab is a good thing but it keeps asking me a password 
> for generating the keytab. There is no way for root to (re)generate the 
> keytab without regenerating one ?
> Also net ads keytab create do not put fqdn,  but just the shortname.

Time to open a bug IMO,
It should add both at the very least.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list