Beyond samba4 wiki page

Gémes Géza geza at kzsdabas.hu
Fri Oct 12 12:53:43 MDT 2012 

2012-10-12 20:10 keltezéssel, Colin Simpson írta:
> On Fri, 2012-10-12 at 14:17 +0200, Marc Muehlfeld wrote:
>> Hi Colin,
>>
>> just create yourself a wiki account and ask here so someone can enable it. And
>> then add your content to the page. About Apache+Kerberos I suggest to add an
>> addition section, because I think it's not always neccessary/wanted to have
>> single sign on.
>>
>> Regards,
>> Marc
>>
>>
>>
> I can add to the Wiki, but I don't currently have a Samba 4 here to
> test. So if someone else can test what I do, that'd be great. But two
> questions:
>
> 1/ How do I get permission to edit this page?
>
> 2/ What would be the net command equivalent of
>
> ktpass -princ HTTP/FQDN at domainname -mapuser http-servername  -pass *
> -out c:\temp\HTTPkeytab /crypto all
You would do it in two steps:

samba-tool spn add HTTP/FQDN at domainname http-servername
samba-tool domain exportkeytab /path/to/the.keytab 
--principal=HTTP/FQDN at domainname

The real difference is that using samba-tool you can create the 
http-servername account with a randomly generated password using:
samba-tool user create --random-password http-servername and thus no 
need to specify the password in the whole process.
> I can use setspn in Windows to set multiple SPNs for an account but I
> don't know if there is any simple way to extract all these as a single
> keytab file. I believe not. One account per website address I think is
> easiest. Or can Samba's net command pull of this piece of magic.
With samba-tool domain exportkeytab you can extract as many 
spns/accounts as you wish as they get added to the keytab file, instead 
of overwriting it with each invocation.
>
> I know I can add the HTTP into the main machine keytab "net ads keytab
> add http", but security best practice would be to create new keytab for
> apache. Maybe opinions here vary?
>
> Thanks
>
> Colin
>
>
>
>
>
>
>
> ________________________________
>
>
> This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.
>
Regards

Geza Gemes

More information about the samba-technical mailing list