[Samba] nslcd: kerberos vs. simple bind

Marc Muehlfeld samba at marc-muehlfeld.de
Wed Aug 28 11:27:39 MDT 2013

Am 28.08.2013 19:11, schrieb steve:
> If you're happy with plain text passwords being passed over the network
> then use them. There may be some admins that will not be able to do that
> though, so. . .

Ok. This is an good argument I haven't tought about. In production I 
have used LDAPS. But the HowTo is currently describing it in plain text, 

> You may want to kerberise it. It's very easy: you don't need to create
> anything new. Just use an object you already have. You always have a
> machine key for example.

Good idea with the machine key.
If I use the machine account, then I have to re-export the keytab if I 
rejoin the machine, right?

 > On the DC, you'll have to extract its keytab
> but otherwise, away you go:
>   k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K
> 360 -k /tmp/nslcd.tkt &
> If you need to be up more than 10 hours a day and if you don't like
> k5start, cron it.
> The clients already have the keytab so nothing else to do.

Thanks for that information. It clarifies some questions that came up 
with the first Kerberos tries.


More information about the samba mailing list