[Samba] AD-Integration of Samba4 AD DC machine itself?
Sven Geggus
lists at fuchsschwanzdomain.de
Wed Mar 12 11:04:55 MDT 2014
Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> 3. add "kerberos method = system keytab" to /etc/samba/smb.conf
> Why???
Because nss-ldapd or sssd will not work without a system keytab.
>> Furthermore, which tool can I use to duplicate the "MACHINE$@REALM"
>> prinzipal of my DC to the Unix style name style host/machine at REALM?
>
> Again, why?
Because services like ssh will need these kinds of service principal. It
might be possible to make them use MACHINE$@REALM instead, but the default
would be host/machine.fqdn at REALM.
On the machines I joined using "kerberos method = system keytab" I typically
have 3 kinds of names for the same encryption keys:
host/machine.fqdn at REALM
host/machine at REALM
MACHINE$@REALM
> do you do this with a windows AD server?
Yes, I actually the host/machine.fqdn at REALM version on my setup with the
Windows AD-Server.
Using the Samba AD DC nslcd needs to use MACHINE$@REALM for authentification.
host/machine.fqdn at REALM does not work.
Regards
Sven
--
Der "normale Bürger" ist nicht an der TU Dresden und schreibt auch
nicht mit mutt. (Ulli Kuhnle in de.comp.os.unix.discussion)
/me is giggls at ircnet, http://sven.gegg.us/ on the Web
More information about the samba
mailing list