[Samba] Samba 4 kerberos and kinit

steve steve at steve-ss.com
Fri Jan 13 15:01:49 MST 2012

On 13/01/12 19:22, Gémes Géza wrote:
> 2012-01-13 13:45 keltezéssel, steve írta:
>>> 'I have setup a real user that the daemon will run as, and have given
>>> that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
>>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>> How has the guy 'given that user a valid kerberos tgt'?
>>> IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put
>>> in /var/run/nslcd ?????
>>> Its been a long night!
>>> Cheers
>>> Steve
>> It's to do with the host principal no?
>> I need to do the equivalent of this:
>> kadmin add -r host/machine.sample.com
>> How do I specify the 'r' option with samba-tool??
>> So that translates to:
>> <spn host user stuff>
>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/REALM
>> Where do I put the r ???!!
>> Thanks,
>> Steve
> It doesn't need to have anything to do with the host principal. You
> could have a very unique nslcd service account.
Yes. I have that account: nslcd-user. I can create a keytab for 
nslcd-user. let's say nslcd-user.keytab. Now, what is the sytax of the 
line to add to nslcd.conf? There seems to be no way to specify that.
>   On the other hand I
> suggest to export each principal to its own keytab instead of dumping
> all to /etc/krb5.keytab if needed they can be "copied" together with ktutil.
> Another suggestion: as uri specify the fqdn of the Samba4 server instead
> of its ip address, as it makes harder (it needs to do reverse name
> lookup) for kerberos to find which account it needs to get the ticket for.
OK. If I have understood this correctly, for me my server, ip= has fqdn hh3.site so I should specify
uri hh3.site rather than uri or no?
> You should copy/move the resulting keytab wherever you wish, just make
> sure you specify the exact same path in nslcd.conf (or equivalent)
That's what I don't know how to do!

More information about the samba mailing list