[Samba] Alternate to 'net ads keytab'?
NP Samba Lists
samba-lists at noopy.org
Tue Mar 17 02:45:02 GMT 2009
We're currently binding hosts to a Windows 2000 domain through a
third-party product (that also supports Kerberos/NFSv4) but we also
have a need to have other hosts grab their credentials from a Windows
KDC for NFSv4 access. While we don't intend to bind these systems to
AD, we do have the requirement to pull their SPNs from AD and place
them in /etc/krb5.keytab. Note that ktpass.exe is not an option here
and I suspect there's another and simpler way that I'm just missing
So, my question is: if a system has *not* been joined to the domain
with 'net ads join' and has already been "pre-staged" in AD as a
user/computer account with the desired SPNs by a Windows admin, can I
just use Samba 'net ads keytab' to build /etc/krb5.keytab on the
system without joining the system to the domain? Or is there another
way to build /etc/krb5.keytab from SPNs in AD? I know I can grab the
kvno from AD but that's only marginally helpful 'cause I also need the
shared secrets I'd assume.
Please let me know your suggestions and what I might be missing.
"You will probably find that this hot mix will probably sell by the
bucket load. I suggest yo...
More information about the samba