On Tue, Aug 23, 2016 at 01:47:30PM +0000, Joakim Tjernlund wrote: > On Tue, 2016-08-23 at 14:31 +0200, Sumit Bose wrote: > > On Wed, Aug 17, 2016 at 11:39:35AM +0000, Joakim Tjernlund wrote: > > > > > > If I add --service-name="nfs" when joining a domain I do not get any > > > host/* or RestrictedKrbHost/* entries in my keytab. Is this intentional? > > > > Yes, this is expected behavior. 'host/' and 'RestrictedKrbHost/' are > > used by default if no --service-name is used. If you want to use 'nfs/' > > and the other too you have to specify them explicitly. i.e. > > > > --service-name=nfs --service-name=host --service-name=RestrictedKrbHost > > > > The reason is to allow a better control about which service is allowed > > to offer Kerberos/GSSAPI authentication. E.g. if on the NFS server you > > do not want sshd to use GSSAPI there is no need for a 'host/' principal. > > > > Right, I was just just really surprised by this. > I have noticed there is a difference between --service-name=host and > --user-principal=.... > --user-principal only creates the long/FQDN keytab entry while > --service-name=host > creates 2 both FQDN and the short host/hostname entry. Why? Is is the short > form > needed for something ?
See my reply to your other email, service principals and user principals are different things in AD. bye, Sumit > > Jocke > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
