[Samba] AD-Integration of Samba4 AD DC machine itself?

[Rowland Penny]

On 12/03/14 17:04, Sven Geggus wrote:
> Rowland Penny <rowlandpenny at googlemail.com> wrote:
>
>>> 3. add "kerberos method = system keytab" to /etc/samba/smb.conf
>> Why???
> Because nss-ldapd or sssd will not work without a system keytab.
>
>>> Furthermore, which tool can I use to duplicate the "MACHINE$@REALM"
>>> prinzipal of my DC to the Unix style name style host/machine at REALM?
>> Again, why?
> Because services like ssh will need these kinds of service principal. It
> might be possible to make them use MACHINE$@REALM instead, but the default
> would be host/machine.fqdn at REALM.
>
> On the machines I joined using "kerberos method = system keytab" I typically
> have 3 kinds of names for the same encryption keys:
> host/machine.fqdn at REALM
> host/machine at REALM
> MACHINE$@REALM
>
>> do you do this with a windows AD server?
> Yes, I actually the host/machine.fqdn at REALM version on my setup with the
> Windows AD-Server.
>
> Using the Samba AD DC nslcd needs to use MACHINE$@REALM for authentification.
> host/machine.fqdn at REALM does not work.
>
> Regards
>
> Sven
>
Ah, I think that I misunderstood what you wrote, I thought that you were 
talking about adding the line to the server not to clients, oops ;-)

In which case, you can use ktutil to add to the keytab, try reading the 
man page and an internet search.

Rowland