[Samba] keytab question.
L.P.H. van Belle
belle at bazuin.nl
Tue Mar 4 04:10:54 MST 2014
Hai,
Im working on my dhcp server + dns setup with samba4.
i've exported the keytabs
samba-tool domain exportkeytab /home/krb5.keytab.samba4
when i read the contents of this keytab
ktutil
rkt /home/krb5.keytab.samba4
list
1 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
2 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
3 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
4 1 Administrator at INTERNAL.DOMAIN.TLD
5 1 Administrator at INTERNAL.DOMAIN.TLD
6 1 Administrator at INTERNAL.DOMAIN.TLD
7 1 dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
8 1 dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
9 1 dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
10 1 krbtgt at INTERNAL.DOMAIN.TLD
11 1 krbtgt at INTERNAL.DOMAIN.TLD
12 1 krbtgt at INTERNAL.DOMAIN.TLD
and i look at : The keytab samba genereted.
ktutil
rkt /var/lib/samba/private/secrets.keytab
list
1 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
2 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
3 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
4 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
5 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
6 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
7 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
8 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
9 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
10 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
11 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
12 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
13 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
14 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
15 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
in the krb5.conf i need to define the default keytab name
default_keytab_name = FILE:/etc/krb5.keytab
but now the question, which keytab should i use?
I know i have to configure our DNS server to support dynamic DNS updates in the clear (insecure) by using the allow-update directive
i've seen the update policy
cat /var/lib/samba/private/named.conf.update
/* this file is auto-generated - do not edit */
update-policy {
grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
};
but i was thinking i needed the user : dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
this is the "logical" to pik.
so, whats advided, and what do you use?
this part is not clear for me.
Best regards,
Louis
More information about the samba
mailing list