samba4 kerberos user principals with instances
David Mansfield
samba at dm.cobite.com
Mon Apr 15 18:49:17 MDT 2013
On 04/15/2013 06:59 PM, Dewayne wrote:
> David,
> The creation of additional principles in samba4 is achieved by creating a user record and then the spn.
>
> Example:
> samba-tool user create http-user --random-password
> samba-tool spn add HTTP/www.mansfieldsite.org http-user
> samba-tool domain exportkeytab --principal=HTTP/www.mansfieldsite.org http.keytab
>
> Samba4 Kerberos is based on the heimdal implementation. Perhaps you could be clearer about what aspect you regard as rubbish?
>
First and foremost, the "rubbish" was a joke based on the other mailing
list thread today that seemed to take over my inbox... I don't think
it's "rubbish" in the least, on the contrary!
Regarding SPN, I've used it to create service principals, and I can
create the SPN on my user,e.g.:
samba-tool spn add david/admin david
But I need to obtain a tgt for this principal, so it needs a password
somehow, rather than an exported keytab. It's to be used by a user, to
authenticate to a service with a different credential than the "regular"
one. I've seen people using this to restrict root access (user/root at REALM).
In particular, the cyrus-imap server does not want "regular" users to
log in to administer it, or else it screws up the regular mail-reading
process. However, I still need kerberos authentication. So the
recommended approach is to use "user principal instances".
I'll poke around. Maybe I can set a password on an SPN somehow.
More information about the samba-technical
mailing list