[Samba] Understanding kerberos principals in samba4

Quinn Plattel qiet72 at gmail.com
Mon Jul 16 05:21:26 MDT 2012

Hi Steve,

I was taking nslcd as an example and I know that one workaround is the way
you describe it, but I see more than just nslcd/k5start service that uses
the HOST/hostname.domain.net principal to authenticate - for example, ssh
with GSSAPI seems to do the same thing unless you use
"GSSAPIStrictAcceptorCheck no" in /etc/sshd_config, and then there is
"ldapsearch -Y GSSAPI" which asks for ldap/hostname.domain.net principal.
So far, of these three issues, I see two workarounds and one with no
solution yet.  It would be nice to see a common solution that works for all
kerberos aware services - hence the subject "Understanding kerberos
principals in samba4".


On Mon, Jul 16, 2012 at 12:59 PM, steve <steve at steve-ss.com> wrote:

> On 16/07/12 12:10, Quinn Plattel wrote:
>> Hi,
>> Thanks for the info.  I am now trying two ways to get, for example, the
>> nslcd service to work with samba4 kerberos.
> The host principals are already there so I can't see why you are trying to
> recreate them. Don't use the host key. Use a separate key to unlock the
> nslcd service so that it cann access the Samba 4 LDAP.
> The problem with nslcd in Ubuntu is k5start. The configuration file is
> located In /etc/default/nslcd which prevents it using a Samba4 principal.
>  With Samba4, nslcd triggeres k5start and it has no key to reference.
> Set k5start to "No" and start it manually yourself with a keytab you have
> extracted for your nslcd-service. If you do not, you will have to manually
> restart nslcd every 10 hours anyway.
> Cheers,
> Steve
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>

Best regards/Med venlig hilsen,
Quinn Plattel

More information about the samba mailing list