question about service principals (samba4)
aarons-samba at aberrant.org
Tue Sep 21 14:58:50 MDT 2010
I can see in ldap that computer objects have service principals associated with
them, however, I can't seem to use them.
I did a dump of the keys on the server with a net export keytab, and it didn't
populate that keytab with the service principals as I'd hoped. Thinking that
the service principals might be aliases for the actual machine account
principal, I tried renaming the key FOO$ to host/foo in that keytab and then
tried authenticating with it, but it told me host/foo was not found in the
My past experience with kerberos is all with heimdal and MIT krb, so I don't
know in what ways I should expect things to be different with windows or samba
KDC, but I do assume there is some way to get host/foo and nfs/foo keys so I can
start deploying some kerberized services. I was hoping the servicePrincipalName
entries did some sort of magic for me, but failing that, I suppose I need to
create completely separate accounts for each service principal I want.
Also, what is the canonical way to extract a keytab containing only keys I
specify? And related to that, will samba4 ever support a kadmin interface,
because that would be awesome.
More information about the samba-technical