[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Fri Jan 20 07:38:14 MST 2012

>>> I can't find k5start for openSUSE. I'll ask the guys over
>>> at the suse list for that one.
>> Otherwise you could probably compile it yourself.
>>> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
>>> k5start).
> Thanks again.
> Steve

Got an old k5start from the openSUSE vaults and got the keytab working 
with it:

samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service
k5start -v -f /etc/nslcd.keytab -u nslcd-service -o nslcd-user -k 
Kerberos initialization for nslcd-service at SITE
k5start: authenticating as nslcd-service at SITE
k5start: getting tickets for krbtgt/SITE at SITE

It didn't ask for a password:)

A few bits of stuff.
This is not ideal. It renews every 5 mins, which too often. Probably 
need some k5list --help
Maybe /tmp is a bad place to put the cache. On openSUSE (and probably 
other distros), anyone can get in there and have a look around.
Don't get this:
ls -la /etc/nslcd.keytab
-rw------- 1 root root 178 Jan 20 15:19 /etc/nslcd.keytab
yet k5start can get at it.
I still think there must be a better way.


More information about the samba mailing list