[Samba] SAMBA Kerberos misunderstanding
Mark Proehl
M.Proehl at science-computing.de
Sun Feb 25 18:39:20 GMT 2007
Hi,
On Thu, Feb 22, 2007 at 03:59:00PM +1000, Bradley Schatz wrote:
> Thanks Mark,
>
> I did the following:
>
> net ads keytab ADD HTTP/foundry.example.local
>
> It placed the following in my keytab:
>
> klist -k:
> <snip>
> 2 HTTP/foundry.example.local/foundry.example.local at EXAMPLE.LOCAL
> 2 HTTP/foundry.example.local/foundry.example.local at EXAMPLE.LOCAL
> 2 HTTP/foundry.example.local/foundry.example.local at EXAMPLE.LOCAL
> <snip>
>
> The following appears to have done the right thing:
>
> net ads keytab ADD HTTP
>
> klist -k
> <snip>
> 2 HTTP/foundry.example.local at EXAMPLE.LOCAL
> 2 HTTP/foundry.example.local at EXAMPLE.LOCAL
> <snip>
>
> However, I am still no closer than I started:
>
> kinit -k -t /etc/krb5.keytab HTTP/foundry.example.local
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
I do not understand, why you want to gain a TGT for a service
principal. This would be possible in a MIT Kerberos environment. In an
Active Directory environment it would also be possible if you created
HTTP/foundry.example.local as a user principal name. But it is not
necessary for kerberizing apache.
- Mark
More information about the samba
mailing list