question about service principals (samba4)
srikumar108 at gmail.com
Sat Sep 25 01:10:43 MDT 2010
On Fri, Sep 24, 2010 at 3:25 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> I see now that you want a took that extracts keytabs for *other*
> accounts. I'll see what I can do to arrange that - would it be OK to
> have it also reset the password at keytab generation time?
> Andrew Bartlett
Yes, something like that. For the use I have in mind, resetting the
password shouldn't matter, I use random pass for those a/cs anyway.
What would a password reset imply, logon and logoff on the affected
host or a service restart, am I correct?
To be honest, I already have what I need with a little shell script
and heimdal's ktutil. However, that may not be a solution for
everybody (because of its dependence on heimdal's utilities). What I
was after was to create an user a/c, like 'smtp-speedy' and then add
an SPN like 'smtp/speedy.test.com' for kerberized services running on
other hosts (i.e. not on the DC), and which may not be running samba
(so I can't use existing methods like samba3's 'net ads keytab'
command). My thinking was, why should a web or mail server have to be
joined to the AD domain, shouldn't ldap and kerberos be enough?
Anyway, I think if the net command could be extended to dump just the
keytab for a specified SPN, and optionally create the SPN on the fly
given a samAccountName, it would be perfect. All one would have to do
# net newuser smtp-foo <randompass>
# net export keytab --samaccountname foo --principalname smtp/foo.domain.com
More information about the samba-technical