Re: [SSSD] GSSAPI and Kerberos - understanding question

Josh Geisser Thu, 24 Nov 2011 09:26:46 -0800

Adding your tip to the smb.conf did the trick.
[global]
        client signing = mandatory
        client use spnego = yes
        kerberos method = secrets and keytab

net join ads  and the keytab is written and can be used by sssd. Also the 
timestamps are from now and not the 70ties. So seems to work with 2003 SFU.

Perfect & thanks a lot :)
You might add "klist -kte" and "net ads status/info" also to the documentation 
as they help a lot verifying what's happening. 

Sorry question anyway: using the keytab just eases the issue with plaintext 
binding credentials, but is actually still an 'weakness': stealing this key 
enables you to the active-directory from anywhere, anyway, not?

Is there a scenario where the 'challenging' username/passwd is taken to 
authenticate against the AD? E.g. the credentials I just ssh/pam-entered are 
used against LDAP instead of any pre-configured credentials?

Cheers
Josh 

-----Ursprüngliche Nachricht-----
Von: sssd-devel-boun...@lists.fedorahosted.org 
[mailto:sssd-devel-boun...@lists.fedorahosted.org] Im Auftrag von John Hodrien
Gesendet: Mittwoch, 23. November 2011 23:33
An: Development of the System Security Services Daemon
Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question

On Wed, 23 Nov 2011, Josh Geisser wrote:

> Thanks for the answer will check soon.
>
> Joining the machine actually works as far as I understand: it creates the
> computer object in LDAP and is visible in the AD management utility. 
>
> But it doesn't write any local /etc/krb5.keytab, which I assume SSSD or the
> krb5-tools will use, not? 
>
> Want to try your additional smb.conf parameters and I'll come back to you

Will update the article with some more notes on this tomorrow.  My config was
for samba 3.5, I don't know what version you're running.  You definitely need
the keytab line in your config (that line is different in 3.0 but you'll find
it in the man page).

Once you've done that, join the domain again, and /etc/krb5.keytab should be
created, and yes, that's what sssd uses.

jh
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

-- 
----
ASG at hnet
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] GSSAPI and Kerberos - understanding question

Reply via email to