[Samba] Samba 4 kerberos and kinit

steve steve at steve-ss.com
Sun Jan 15 09:32:53 MST 2012

On 01/15/2012 04:04 PM, Michael Wood wrote:
> On 14 January 2012 12:52, steve<steve at steve-ss.com>  wrote:
>> On 14/01/12 03:19, Michael Wood wrote:
>>> On 14 January 2012 01:24, steve<steve at steve-ss.com>    wrote:
> [...]
>>>> drwxr-xr-x 118 root root  12288 Jan 13 23:55 etc
>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>> That's fine, but is that what nslcd is using?
>> Ah. Well spotted! The nslcd docs recommends you run it as a separate user,
>> so I created a user and group for nslcd and specified them in nslcd.conf.
>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>> that correct? (can't test it as am not by the DC at the moment)
> Sounds likely.
> So you probably need to export a keytab for your nslcd principal to a
> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
> has permission to read it.  No other user should have read access.
The problem is that I can't have a principal for nslcd. IOW I can't do this:
samba-tool spn add nslcd some-user

I could do this
samba-tool spn add host someuser
but already have a host principal added to the main keytab.

I keep coming back to this. I can have a principal for host and I can 
have a principal for nfs but I can't have a principal for nslcd. Even 
tough /etc/nslcd.conf allows me to add a kerberos realm, is that good 

Anyway, I've a 10 hour experiment in progress as on the other thread. 
Fingers crossed!

More information about the samba mailing list