If I add --service-name="nfs" when joining a domain I do not get any host/* or RestrictedKrbHost/* entries in my keytab. Is this intentional?
Jocke
On Wed, Aug 17, 2016 at 11:39:35AM +0000, Joakim Tjernlund wrote:
If I add --service-name="nfs" when joining a domain I do not get any host/* or RestrictedKrbHost/* entries in my keytab. Is this intentional?
Yes, this is expected behavior. 'host/' and 'RestrictedKrbHost/' are used by default if no --service-name is used. If you want to use 'nfs/' and the other too you have to specify them explicitly. i.e.
--service-name=nfs --service-name=host --service-name=RestrictedKrbHost
The reason is to allow a better control about which service is allowed to offer Kerberos/GSSAPI authentication. E.g. if on the NFS server you do not want sshd to use GSSAPI there is no need for a 'host/' principal.
HTH
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Tue, 2016-08-23 at 14:31 +0200, Sumit Bose wrote:
On Wed, Aug 17, 2016 at 11:39:35AM +0000, Joakim Tjernlund wrote:
If I add --service-name="nfs" when joining a domain I do not get any host/* or RestrictedKrbHost/* entries in my keytab. Is this intentional?
Yes, this is expected behavior. 'host/' and 'RestrictedKrbHost/' are used by default if no --service-name is used. If you want to use 'nfs/' and the other too you have to specify them explicitly. i.e.
--service-name=nfs --service-name=host --service-name=RestrictedKrbHost
The reason is to allow a better control about which service is allowed to offer Kerberos/GSSAPI authentication. E.g. if on the NFS server you do not want sshd to use GSSAPI there is no need for a 'host/' principal.
Right, I was just just really surprised by this. I have noticed there is a difference between --service-name=host and --user-principal=.... --user-principal only creates the long/FQDN keytab entry while --service-name=host creates 2 both FQDN and the short host/hostname entry. Why? Is is the short form needed for something ?
Jocke
On Tue, Aug 23, 2016 at 01:47:30PM +0000, Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 14:31 +0200, Sumit Bose wrote:
On Wed, Aug 17, 2016 at 11:39:35AM +0000, Joakim Tjernlund wrote:
If I add --service-name="nfs" when joining a domain I do not get any host/* or RestrictedKrbHost/* entries in my keytab. Is this intentional?
Yes, this is expected behavior. 'host/' and 'RestrictedKrbHost/' are used by default if no --service-name is used. If you want to use 'nfs/' and the other too you have to specify them explicitly. i.e.
--service-name=nfs --service-name=host --service-name=RestrictedKrbHost
The reason is to allow a better control about which service is allowed to offer Kerberos/GSSAPI authentication. E.g. if on the NFS server you do not want sshd to use GSSAPI there is no need for a 'host/' principal.
Right, I was just just really surprised by this. I have noticed there is a difference between --service-name=host and --user-principal=.... --user-principal only creates the long/FQDN keytab entry while --service-name=host creates 2 both FQDN and the short host/hostname entry. Why? Is is the short form needed for something ?
See my reply to your other email, service principals and user principals are different things in AD.
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org