samba4 keytab management
Aaron Solochek
aarons-samba at aberrant.org
Tue Oct 19 11:00:15 MDT 2010
On 10/19/2010 08:14 AM, Trever L. Adams wrote:
> On 09/06/2010 05:28 PM, srikumar 108 wrote:
>> 2. 'ldbedit -H sam.lbd cn=imap' to add the following:
>> servicePrincipalName: imap/.f.q.d.n
>> userPrincipalName: imap/f.q.d.n at REALM
>>
>> The 'userPrincipalName' entry is added by Windows ktpass.exe, but it
>> was not strictly necessary. The trick was to add the serviceprincipal
>> WITHOUT the realm part.
> Sorry for responding to an old thread, but I thought I would chime in.
> The userPrincipalName is actually required by some programs for things
> to work properly. One example of this is dovecot SASL being used by
> postfix (client Thunderberd 3.1.4) for smtp). I have been trying to get
> this to work for about a week.
>
> Just for grins, I added the userPrincipalName in the format listed above
> and all of my problems disappeared.
>
> Any fix to ktpass.sh would be GREATLY appreciated.
I believe this is because many programs want to be able to get those service
principal tickets. The samba KDC doesn't let you do that. Setting
userPrincipalName ended up being a temporary fix for my issue -- NFS4 wants to
be able to get nfs/foo tickets on both the server and clients. However, since
you can only set one userPrincipalName, I still think the right solution is
allowing clients to get service principal tickets.
-Aaron
More information about the samba-technical
mailing list