Am 28.08.2013 19:11, schrieb steve:
If you're happy with plain text passwords being passed over the network
then use them. There may be some admins that will not be able to do that
though, so. . .
Ok. This is an good argument I haven't tought about. In production I
have used LDAPS. But the HowTo is currently describing it in plain text,
right.
You may want to kerberise it. It's very easy: you don't need to create
anything new. Just use an object you already have. You always have a
machine key for example.
Good idea with the machine key.
If I use the machine account, then I have to re-export the keytab if I
rejoin the machine, right?
> On the DC, you'll have to extract its keytab
but otherwise, away you go:
k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K
360 -k /tmp/nslcd.tkt &
If you need to be up more than 10 hours a day and if you don't like
k5start, cron it.
The clients already have the keytab so nothing else to do.
HTH
Thanks for that information. It clarifies some questions that came up
with the first Kerberos tries.
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
