[Samba] FW: kerberos nfs4's principals and root access

Rowland Penny rpenny at samba.org
Tue Aug 2 16:20:42 UTC 2016

On Tue, 2 Aug 2016 17:05:37 +0200
Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:

> It's ok
> So, if I create a httpuser and an httpgroup in my AD and use these at 
> owner and group for my apache2 daemon, this one could access to
> userdirs (while permissions granting it) ? But I need to cron 'kinit'
> to keep valid ticket... ?
> My local root user always can't access to the share, but my other 
> problem seems to be resolved.

OK, I went and re-read your first post and I think you are going about
this the wrong way. I did a quick google and found this:


So to translate that into Samba:

Create a user 'httpuser' with a random password:

samba-tool user create --random-password httpuser

Give the new user an SPN:

samba-tool spn add HTTP/servername.your.realm.tld httpuser

Where 'servername' is the short hostname of your machine running Apache
and 'your.realm.tld' is (obviously) your dns/realm name  

Now export the keytab:

samba-tool domain exportkeytab /root/httpd.keytab
--principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD

copy the keytab to the machine running Apache and allow www-data to
read the keytab.


More information about the samba mailing list