question about service principals (samba4)
abartlet at samba.org
Tue Sep 21 17:39:33 MDT 2010
On Tue, 2010-09-21 at 16:58 -0400, Aaron Solochek wrote:
> I can see in ldap that computer objects have service principals associated with
> them, however, I can't seem to use them.
> I did a dump of the keys on the server with a net export keytab, and it didn't
> populate that keytab with the service principals as I'd hoped. Thinking that
> the service principals might be aliases for the actual machine account
> principal, I tried renaming the key FOO$ to host/foo in that keytab and then
> tried authenticating with it, but it told me host/foo was not found in the
> My past experience with kerberos is all with heimdal and MIT krb, so I don't
> know in what ways I should expect things to be different with windows or samba
> KDC, but I do assume there is some way to get host/foo and nfs/foo keys so I can
> start deploying some kerberized services. I was hoping the servicePrincipalName
> entries did some sort of magic for me, but failing that, I suppose I need to
> create completely separate accounts for each service principal I want.
> Also, what is the canonical way to extract a keytab containing only keys I
I hope to add extensions to our keytab management code to automatically
populate a keytab soon. My idea is to allow servicePrincipalName to be
specified in the secrets.ldb entries.
> And related to that, will samba4 ever support a kadmin interface,
> because that would be awesome.
We could, quite easily actually, but I've avoided doing so. It would
tie us to our current choice of Kerberos implementation in a way that is
exposed to our users. If there is a real desire, then I'm willing to
allow it - it just means building a little more of Heimdal.
(The problem is that the kadmin tool and protocol is not the same
between MIT and Heimdal)
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 190 bytes
Desc: This is a digitally signed message part
More information about the samba-technical