[Samba] Samba 4 kerberos and kinit

Michael Wood esiotrot at gmail.com
Fri Jan 13 19:17:12 MST 2012


On 14 January 2012 01:28, steve <steve at steve-ss.com> wrote:
> On 13/01/12 23:36, Michael Wood wrote:
>>
>> On 14 January 2012 00:01, steve<steve at steve-ss.com>  wrote:
>>>
>>> On 13/01/12 19:22, Gémes Géza wrote:
>>
>> [...]
>>>>
>>>> It doesn't need to have anything to do with the host principal. You
>>>> could have a very unique nslcd service account.
>>>
>>> Yes. I have that account: nslcd-user. I can create a keytab for
>>> nslcd-user.
>>> let's say nslcd-user.keytab. Now, what is the sytax of the line to add to
>>> nslcd.conf? There seems to be no way to specify that.
>>
>> Does this not work, as per the link that Géza pointed you to earlier
>> in this thread?
>>
>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>
> No, 'fraid not. The only stuff in /var/run/nslcd are:
> nslcd.pid  socket
> I've commented out the line and it still works without having a cache. I'd
> still like to work it out though.

No, you misunderstand.  You create the keytab (e.g. to
/var/run/nslcd/nslcd.tkt) and then tell nslcd where it is by using the
krb5_ccname option.

I don't know a huge amount about Kerberos, so I don't know what the
difference is between a ticket/credentials cache and a keytab file.
"ccname" == "credentials cache name"

Hope the above helps :)

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba mailing list