[Samba] NFSv4 / Krb / wildcard in keytab
Rowland penny
rpenny at samba.org
Thu Mar 31 12:53:21 UTC 2016
On 31/03/16 13:01, Service Informatique IF wrote:
> Le 31/03/2016 11:44, Rowland penny a écrit :
>> I thought the whole idea of kerberos was to authenticate 'something'
>> or 'someone' without passing passwords.
>
> You're right when using keytab it's without password, but users need
> to enter password to access their datas on a NFSv4 - krb share.
>
>> As far as I am aware, 'something' or 'someone' must be in the
>> kerberos database and I don't think using '*' is going to work, as
>> this would allow anybody to gain access to your network, do you
>> really want this ??
>
> I understand that is a possible security hole, but we already use a
> "generic" keytab for sssd.
> Our computers are in a "restricted" network, so I think it's not a big
> hole.
> And this keytab is used only for mounting the Nfsv4 share, not to
> access user data, because data are chmod protected
> each user need to authenticate to obtain their own ticket, in order to
> see their data.
>
> Wildcard keytab is possible in MIT Kerberos, so I thought it was
> possbie to do that with Samba4.
I honestly don't know if you can do this with Samba4 because I have
never tried and I also don't know if this is possible with Heimdal
kerberos that Samba uses.
>
> The problem for us is to join computer automatically to Samba : Maybe
> you have a solution ? (without passwd)
>
> Or maybe if it's possible, create computer accounts in Samba with
> samba-tool user add ... and so, I could create computer keytab
> directly from Samba.
>
You mentioned above that you are using sssd, so isn't realmd supposed to
be able to do this ?
Have a look here:
http://stef.thewalter.net/how-to-join-active-directory-domains.html
Rowland
More information about the samba
mailing list