On Tue, 2016-08-23 at 14:31 +0200, Sumit Bose wrote: > On Wed, Aug 17, 2016 at 11:39:35AM +0000, Joakim Tjernlund wrote: > > > > If I add --service-name="nfs" when joining a domain I do not get any > > host/* or RestrictedKrbHost/* entries in my keytab. Is this intentional? > > Yes, this is expected behavior. 'host/' and 'RestrictedKrbHost/' are > used by default if no --service-name is used. If you want to use 'nfs/' > and the other too you have to specify them explicitly. i.e. > > --service-name=nfs --service-name=host --service-name=RestrictedKrbHost > > The reason is to allow a better control about which service is allowed > to offer Kerberos/GSSAPI authentication. E.g. if on the NFS server you > do not want sshd to use GSSAPI there is no need for a 'host/' principal. >
Right, I was just just really surprised by this. I have noticed there is a difference between --service-name=host and --user-principal=.... --user-principal only creates the long/FQDN keytab entry while --service-name=host creates 2 both FQDN and the short host/hostname entry. Why? Is is the short form needed for something ? Jocke _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
