samba4 kerberos user principals with instances
Gémes Géza
geza at kzsdabas.hu
Mon Apr 15 22:41:24 MDT 2013
2013-04-16 02:49 keltezéssel, David Mansfield írta:
> On 04/15/2013 06:59 PM, Dewayne wrote:
>> David,
>> The creation of additional principles in samba4 is achieved by
>> creating a user record and then the spn.
>>
>> Example:
>> samba-tool user create http-user --random-password
>> samba-tool spn add HTTP/www.mansfieldsite.org http-user
>> samba-tool domain exportkeytab --principal=HTTP/www.mansfieldsite.org
>> http.keytab
>>
>> Samba4 Kerberos is based on the heimdal implementation. Perhaps you
>> could be clearer about what aspect you regard as rubbish?
>>
> First and foremost, the "rubbish" was a joke based on the other
> mailing list thread today that seemed to take over my inbox... I
> don't think it's "rubbish" in the least, on the contrary!
>
> Regarding SPN, I've used it to create service principals, and I can
> create the SPN on my user,e.g.:
>
> samba-tool spn add david/admin david
>
> But I need to obtain a tgt for this principal, so it needs a password
> somehow, rather than an exported keytab. It's to be used by a user,
> to authenticate to a service with a different credential than the
> "regular" one. I've seen people using this to restrict root access
> (user/root at REALM).
>
> In particular, the cyrus-imap server does not want "regular" users to
> log in to administer it, or else it screws up the regular mail-reading
> process. However, I still need kerberos authentication. So the
> recommended approach is to use "user principal instances".
>
> I'll poke around. Maybe I can set a password on an SPN somehow.
No, you misunderstood the spn capability. Passwords can be assigned to
accounts not spns. So I recommend adding a separate (username-admin
perhaps) account to those users you want to give administrative rights
(and could assign spns to their accounts)
Regards
Geza Gemes
More information about the samba-technical
mailing list