I'm new to Kerberos. I don't understand how Samba uses the system keytab (/etc/krb5.keytab) when "use kerberos keytab = true". Does Samba use service specific tickets? What tickets does Samba add? Do I need a cron job to keep them fresh or does Winbind take care of it? Sorry if these are elementary questions, but the Samba HOWTO didn't help me understand Samba's interaction with Kerberos. My /etc/krb5.keytab looks like this: KVNO Principal ---- -------------------------------------------------------------------------- 1 host/schurter3-linux.tremont.local@TREMONT.LOCAL 0 host/schurter3-linux.tremont@TREMONT.LOCAL 0 host/schurter3-linux.tremont@TREMONT.LOCAL 0 host/schurter3-linux.tremont@TREMONT.LOCAL 0 host/schurter3-linux@TREMONT.LOCAL 0 host/schurter3-linux@TREMONT.LOCAL 0 host/schurter3-linux@TREMONT.LOCAL 0 schurter3-linux$@TREMONT.LOCAL 0 schurter3-linux$@TREMONT.LOCAL 0 schurter3-linux$@TREMONT.LOCAL where schurter3-linux is my computer and TREMONT.LOCAL is the Active Directory Realm. The first ticket was generated on the Active Directory server using the ktpass command as per some Microsoft documentation. I use Winbind & Kerberos in PAM. Thanks, Michael Schurter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Schurter wrote:> I'm new to Kerberos. I don't understand how Samba uses the system > keytab (/etc/krb5.keytab) when "use kerberos keytab = true". > > Does Samba use service specific tickets? > What tickets does Samba add? > Do I need a cron job to keep them fresh or does > Winbind take care of it?The keytab simply contains the long term keys for the machine's computer account and is intended for use by Kerberized applications other than Samba (e.g. Apache, OpenSSH, etc...) cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFgvgDIR7qMdg1EfYRAu4wAJ0exk0gTZ8ow0RPxNRkmBN+mFyZJQCdFVn+ yCegV4Ipf5L7qERBMsur50E=rpKs -----END PGP SIGNATURE-----