Hi Steve, I was taking nslcd as an example and I know that one workaround is the way you describe it, but I see more than just nslcd/k5start service that uses the HOST/hostname.domain.net principal to authenticate - for example, ssh with GSSAPI seems to do the same thing unless you use "GSSAPIStrictAcceptorCheck no" in /etc/sshd_config, and then there is "ldapsearch -Y GSSAPI" which asks for ldap/hostname.domain.net principal. So far, of these three issues, I see two workarounds and one with no solution yet. It would be nice to see a common solution that works for all kerberos aware services - hence the subject "Understanding kerberos principals in samba4".
br, Quinn On Mon, Jul 16, 2012 at 12:59 PM, steve <st...@steve-ss.com> wrote: > On 16/07/12 12:10, Quinn Plattel wrote: > >> Hi, >> >> Thanks for the info. I am now trying two ways to get, for example, the >> nslcd service to work with samba4 kerberos. >> > > The host principals are already there so I can't see why you are trying to > recreate them. Don't use the host key. Use a separate key to unlock the > nslcd service so that it cann access the Samba 4 LDAP. > > The problem with nslcd in Ubuntu is k5start. The configuration file is > located In /etc/default/nslcd which prevents it using a Samba4 principal. > With Samba4, nslcd triggeres k5start and it has no key to reference. > > Set k5start to "No" and start it manually yourself with a keytab you have > extracted for your nslcd-service. If you do not, you will have to manually > restart nslcd every 10 hours anyway. > > Cheers, > HTH > Steve > -- > To unsubscribe from this list go to the following URL and read the > instructions: > https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba> > -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba