Beyond samba4 wiki page
Gémes Géza
geza at kzsdabas.hu
Fri Oct 12 12:53:43 MDT 2012
2012-10-12 20:10 keltezéssel, Colin Simpson írta:
> On Fri, 2012-10-12 at 14:17 +0200, Marc Muehlfeld wrote:
>> Hi Colin,
>>
>> just create yourself a wiki account and ask here so someone can enable it. And
>> then add your content to the page. About Apache+Kerberos I suggest to add an
>> addition section, because I think it's not always neccessary/wanted to have
>> single sign on.
>>
>> Regards,
>> Marc
>>
>>
>>
> I can add to the Wiki, but I don't currently have a Samba 4 here to
> test. So if someone else can test what I do, that'd be great. But two
> questions:
>
> 1/ How do I get permission to edit this page?
>
> 2/ What would be the net command equivalent of
>
> ktpass -princ HTTP/FQDN at domainname -mapuser http-servername -pass *
> -out c:\temp\HTTPkeytab /crypto all
You would do it in two steps:
samba-tool spn add HTTP/FQDN at domainname http-servername
samba-tool domain exportkeytab /path/to/the.keytab
--principal=HTTP/FQDN at domainname
The real difference is that using samba-tool you can create the
http-servername account with a randomly generated password using:
samba-tool user create --random-password http-servername and thus no
need to specify the password in the whole process.
> I can use setspn in Windows to set multiple SPNs for an account but I
> don't know if there is any simple way to extract all these as a single
> keytab file. I believe not. One account per website address I think is
> easiest. Or can Samba's net command pull of this piece of magic.
With samba-tool domain exportkeytab you can extract as many
spns/accounts as you wish as they get added to the keytab file, instead
of overwriting it with each invocation.
>
> I know I can add the HTTP into the main machine keytab "net ads keytab
> add http", but security best practice would be to create new keytab for
> apache. Maybe opinions here vary?
>
> Thanks
>
> Colin
>
>
>
>
>
>
>
> ________________________________
>
>
> This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.
>
Regards
Geza Gemes
More information about the samba-technical
mailing list