2012-01-13 13:45 keltezéssel, steve írta: > >> 'I have setup a real user that the daemon will run as, and have given >> that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf >> >> krb5_ccname /var/run/nslcd/nslcd.tkt >> >> How has the guy 'given that user a valid kerberos tgt'? >> >> IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put >> in /var/run/nslcd ????? >> >> Its been a long night! >> Cheers >> Steve > > It's to do with the host principal no? > > I need to do the equivalent of this: > kadmin add -r host/machine.sample.com > > How do I specify the 'r' option with samba-tool?? > > So that translates to: > <spn host user stuff> > samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/REALM > Where do I put the r ???!! > > Thanks, > Steve > > It doesn't need to have anything to do with the host principal. You could have a very unique nslcd service account. On the other hand I suggest to export each principal to its own keytab instead of dumping all to /etc/krb5.keytab if needed they can be "copied" together with ktutil. Another suggestion: as uri specify the fqdn of the Samba4 server instead of its ip address, as it makes harder (it needs to do reverse name lookup) for kerberos to find which account it needs to get the ticket for. You should copy/move the resulting keytab wherever you wish, just make sure you specify the exact same path in nslcd.conf (or equivalent)
Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba