question about service principals (samba4)

srikumar 108 srikumar108 at
Sun Sep 26 16:06:51 MDT 2010

On Sat, Sep 25, 2010 at 12:46 PM, Aaron Solochek
<aarons-samba at> wrote:
> On 09/25/2010 03:10 AM, srikumar 108 wrote:

>> To be honest, I already have what I need with a little shell script
>> and heimdal's ktutil. However, that may not be a solution for
>> everybody (because of its dependence on heimdal's utilities). What I
>> was after was to create an user a/c, like 'smtp-speedy' and then add
>> an SPN like 'smtp/' for kerberized services running on
>> other hosts (i.e. not on the DC), and which may not be running samba
>> (so I can't use existing methods like samba3's 'net ads keytab'
>> command). My thinking was, why should a web or mail server have to be
>> joined to the AD domain, shouldn't ldap and kerberos be enough?
> This situation is pretty much exactly why I'd like kadmin running on the kdc.
> It is unfortunate that the protocols are different between Heimdal/MIT, and I am
> assuming that it's non-trivial to swap in MIT krb5 in the samba build, but
> kerberos doesn't imply samba, and a network could very well have machines that
> want kerberos but not samba.  It ought to be possible to set up such a machine
> using the kerberos tools it will already have, and not be required to extract
> the keys on some third machine and transfer them over.

It sounds like a possible solution for you would be to run a separate
kdc and establish a two-way trust with the domain controller. We have
something similar working. In this way, the AD servers manage the
Windows desktops, and a separate bunch of unix servers can be manged
by a unix kdc using familiar tools. Now, I know this can be with Win2k
servers, but I don't know if this can be done with samba4, or whether
that feature is planned. This can also satisfy the "we want to run our
own kdc" constituency...


More information about the samba-technical mailing list