[Samba] AD-Integration of Samba4 AD DC machine itself?

Rowland Penny rowlandpenny at googlemail.com
Wed Mar 12 11:12:45 MDT 2014

On 12/03/14 17:04, Sven Geggus wrote:
> Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>> 3. add "kerberos method = system keytab" to /etc/samba/smb.conf
>> Why???
> Because nss-ldapd or sssd will not work without a system keytab.
>>> Furthermore, which tool can I use to duplicate the "MACHINE$@REALM"
>>> prinzipal of my DC to the Unix style name style host/machine at REALM?
>> Again, why?
> Because services like ssh will need these kinds of service principal. It
> might be possible to make them use MACHINE$@REALM instead, but the default
> would be host/machine.fqdn at REALM.
> On the machines I joined using "kerberos method = system keytab" I typically
> have 3 kinds of names for the same encryption keys:
> host/machine.fqdn at REALM
> host/machine at REALM
>> do you do this with a windows AD server?
> Yes, I actually the host/machine.fqdn at REALM version on my setup with the
> Windows AD-Server.
> Using the Samba AD DC nslcd needs to use MACHINE$@REALM for authentification.
> host/machine.fqdn at REALM does not work.
> Regards
> Sven
Ah, I think that I misunderstood what you wrote, I thought that you were 
talking about adding the line to the server not to clients, oops ;-)

In which case, you can use ktutil to add to the keytab, try reading the 
man page and an internet search.


More information about the samba mailing list