[Samba] Samba 4 kerberos and kinit

Gémes Géza geza at kzsdabas.hu
Fri Jan 13 11:22:59 MST 2012

2012-01-13 13:45 keltezéssel, steve írta:
>> 'I have setup a real user that the daemon will run as, and have given
>> that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
>> krb5_ccname /var/run/nslcd/nslcd.tkt
>> How has the guy 'given that user a valid kerberos tgt'?
>> IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put
>> in /var/run/nslcd ?????
>> Its been a long night!
>> Cheers
>> Steve
> It's to do with the host principal no?
> I need to do the equivalent of this:
> kadmin add -r host/machine.sample.com
> How do I specify the 'r' option with samba-tool??
> So that translates to:
> <spn host user stuff>
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/REALM
> Where do I put the r ???!!
> Thanks,
> Steve
It doesn't need to have anything to do with the host principal. You
could have a very unique nslcd service account. On the other hand I
suggest to export each principal to its own keytab instead of dumping
all to /etc/krb5.keytab if needed they can be "copied" together with ktutil.
Another suggestion: as uri specify the fqdn of the Samba4 server instead
of its ip address, as it makes harder (it needs to do reverse name
lookup) for kerberos to find which account it needs to get the ticket for.
You should copy/move the resulting keytab wherever you wish, just make
sure you specify the exact same path in nslcd.conf (or equivalent)



More information about the samba mailing list