On Wed, 2013-08-28 at 19:27 +0200, Marc Muehlfeld wrote: > Am 28.08.2013 19:11, schrieb steve: > > If you're happy with plain text passwords being passed over the network > > then use them. There may be some admins that will not be able to do that > > though, so. . . > > Ok. This is an good argument I haven't tought about. In production I > have used LDAPS. But the HowTo is currently describing it in plain text, > right. > > > > > You may want to kerberise it. It's very easy: you don't need to create > > anything new. Just use an object you already have. You always have a > > machine key for example. > > Good idea with the machine key. > If I use the machine account, then I have to re-export the keytab if I > rejoin the machine, right? > No. Once you have exported the key to the keytab on the DC, that's it. Forever. The question doesn't make sense on a client.
If you're on the DC, you do not have a default keytab, erm, by default, so just extract the machine key manually. On a remote client, the process of joining the domain with security=ADS and kerberos method = something will automatically create the keytab for you. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
