question about service principals (samba4)

Aaron Solochek aarons-samba at
Wed Sep 22 11:53:51 MDT 2010

On 09/21/2010 07:39 PM, Andrew Bartlett wrote:
> On Tue, 2010-09-21 at 16:58 -0400, Aaron Solochek wrote:
>> I can see in ldap that computer objects have service principals associated with
>> them, however, I can't seem to use them.
>> I did a dump of the keys on the server with a net export keytab, and it didn't
>> populate that keytab with the service principals as I'd hoped.  Thinking that
>> the service principals might be aliases for the actual machine account
>> principal, I tried renaming the key FOO$ to host/foo in that keytab and then
>> tried authenticating with it, but it told me host/foo was not found in the
>> database.
>> My past experience with kerberos is all with heimdal and MIT krb, so I don't
>> know in what ways I should expect things to be different with windows or samba
>> KDC, but I do assume there is some way to get host/foo and nfs/foo keys so I can
>> start deploying some kerberized services.  I was hoping the servicePrincipalName
>> entries did some sort of magic for me, but failing that, I suppose I need to
>> create completely separate accounts for each service principal I want.
>> Also, what is the canonical way to extract a keytab containing only keys I
>> specify?  
> I hope to add extensions to our keytab management code to automatically
> populate a keytab soon.  My idea is to allow servicePrincipalName to be
> specified in the secrets.ldb entries. 

But what about the service principals in the kdc?  Right now it seems that the
kdc is not aware of them.  Are they eventually going to be automatically
generated based on the servicePrincipalNames on demand or something similar so
they don't actually exist as individual objects in ldap?  Is my best temporary
fix to manually create service principal 'computer' accounts, or will that cause
me headaches later?

>> And related to that, will samba4 ever support a kadmin interface,
>> because that would be awesome.
> We could, quite easily actually, but I've avoided doing so.  It would
> tie us to our current choice of Kerberos implementation in a way that is
> exposed to our users.  If there is a real desire, then I'm willing to
> allow it - it just means building a little more of Heimdal.
> (The problem is that the kadmin tool and protocol is not the same
> between MIT and Heimdal)

Well, you could bundle the heimdal kadmin with samba4 too.  it will happily
coexist on an MIT krb system if you rename it kadmin.samba or something.  The
heimdal tools are better than the MIT ones anyway, imo.


More information about the samba-technical mailing list