[Samba] Samba 4 kerberos and kinit
Michael Wood
esiotrot at gmail.com
Fri Jan 13 19:17:12 MST 2012
On 14 January 2012 01:28, steve <steve at steve-ss.com> wrote:
> On 13/01/12 23:36, Michael Wood wrote:
>>
>> On 14 January 2012 00:01, steve<steve at steve-ss.com> wrote:
>>>
>>> On 13/01/12 19:22, Gémes Géza wrote:
>>
>> [...]
>>>>
>>>> It doesn't need to have anything to do with the host principal. You
>>>> could have a very unique nslcd service account.
>>>
>>> Yes. I have that account: nslcd-user. I can create a keytab for
>>> nslcd-user.
>>> let's say nslcd-user.keytab. Now, what is the sytax of the line to add to
>>> nslcd.conf? There seems to be no way to specify that.
>>
>> Does this not work, as per the link that Géza pointed you to earlier
>> in this thread?
>>
>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>
> No, 'fraid not. The only stuff in /var/run/nslcd are:
> nslcd.pid socket
> I've commented out the line and it still works without having a cache. I'd
> still like to work it out though.
No, you misunderstand. You create the keytab (e.g. to
/var/run/nslcd/nslcd.tkt) and then tell nslcd where it is by using the
krb5_ccname option.
I don't know a huge amount about Kerberos, so I don't know what the
difference is between a ticket/credentials cache and a keytab file.
"ccname" == "credentials cache name"
Hope the above helps :)
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list