[Samba] nslcd: kerberos vs. simple bind

steve steve at steve-ss.com
Wed Aug 28 11:39:10 MDT 2013

On Wed, 2013-08-28 at 19:27 +0200, Marc Muehlfeld wrote:
> Am 28.08.2013 19:11, schrieb steve:
> > If you're happy with plain text passwords being passed over the network
> > then use them. There may be some admins that will not be able to do that
> > though, so. . .
> Ok. This is an good argument I haven't tought about. In production I 
> have used LDAPS. But the HowTo is currently describing it in plain text, 
> right.
> > You may want to kerberise it. It's very easy: you don't need to create
> > anything new. Just use an object you already have. You always have a
> > machine key for example.
> Good idea with the machine key.
> If I use the machine account, then I have to re-export the keytab if I 
> rejoin the machine, right?
No. Once you have exported the key to the keytab on the DC, that's it.
Forever. The question doesn't make sense on a client.

If you're on the DC, you do not have a default keytab, erm, by default,
so just extract the machine key manually.

On a remote client, the process of joining the domain with security=ADS
and kerberos method = something will automatically create the keytab for


More information about the samba mailing list