Beyond samba4 wiki page

Colin Simpson Colin.Simpson at
Fri Oct 12 12:10:26 MDT 2012

On Fri, 2012-10-12 at 14:17 +0200, Marc Muehlfeld wrote:
> Hi Colin,
> just create yourself a wiki account and ask here so someone can enable it. And
> then add your content to the page. About Apache+Kerberos I suggest to add an
> addition section, because I think it's not always neccessary/wanted to have
> single sign on.
> Regards,
> Marc

I can add to the Wiki, but I don't currently have a Samba 4 here to
test. So if someone else can test what I do, that'd be great. But two

1/ How do I get permission to edit this page?

2/ What would be the net command equivalent of

ktpass -princ HTTP/FQDN at domainname -mapuser http-servername  -pass *
-out c:\temp\HTTPkeytab /crypto all

I can use setspn in Windows to set multiple SPNs for an account but I
don't know if there is any simple way to extract all these as a single
keytab file. I believe not. One account per website address I think is
easiest. Or can Samba's net command pull of this piece of magic.

I know I can add the HTTP into the main machine keytab "net ads keytab
add http", but security best practice would be to create new keytab for
apache. Maybe opinions here vary?




This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.

More information about the samba-technical mailing list