[Samba] NFSv4 / Krb / wildcard in keytab

Rowland penny rpenny at samba.org
Thu Mar 31 12:53:21 UTC 2016

On 31/03/16 13:01, Service Informatique IF wrote:
> Le 31/03/2016 11:44, Rowland penny a écrit :
>> I thought the whole idea of kerberos was to authenticate 'something' 
>> or 'someone' without passing passwords.
> You're right when using keytab it's without password, but users need 
> to enter password to access their datas on a NFSv4 - krb share.
>> As far as I am aware, 'something' or 'someone' must be in the 
>> kerberos database and I don't think using '*' is going to work, as 
>> this would allow anybody to gain access to your network, do you 
>> really want this ??
> I understand that is a possible security hole, but we already use a 
> "generic" keytab for sssd.
> Our computers are in a "restricted" network, so I think it's not a big 
> hole.
> And this keytab is used only for mounting the Nfsv4 share, not to 
> access user data, because data are chmod protected
> each user need to authenticate to obtain their own ticket, in order to 
> see their data.
> Wildcard keytab is possible in MIT Kerberos, so I thought it was 
> possbie to do that with Samba4.

I honestly don't know if you can do this with Samba4 because I have 
never tried and I also don't know if this is possible with Heimdal 
kerberos that Samba uses.

> The problem for us is to join computer automatically to Samba : Maybe 
> you have a solution ? (without passwd)
> Or maybe if it's possible, create computer accounts in Samba with 
> samba-tool user add ...  and so, I could create computer keytab 
> directly from Samba.

You mentioned above that you are using sssd, so isn't realmd supposed to 
be able to do this ?

Have a look here: 


More information about the samba mailing list