Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
On Wed, Jan 05, 2011 at 07:10:24PM +0100, Petter Reinholdtsen wrote:
[...]
> > I am not an expert regarding that stuff and I don't know if there
> > are other ways to achieve the desired. However, it looks as with the
> > current setup we need service principals for all host aliases.
>
> That isn't too bad, is it? It can be added automatically at install
> time, right?
>
Yes, the creation of the principals is done during installation. The
script kerberos-kdc-init would contain something like:
for name in tjener.intern kerberos.intern ldap.intern domain.intern postoffice.intern syslog.intern; do
## create machine principals and add them to the keytab:
kadmin.local -q "addprinc -randkey host/$name"
kadmin.local -q "ktadd host/$name"
## create service principals and add them to the keytab:
kadmin.local -q "addprinc -randkey nfs/$name"
kadmin.local -q "ktadd nfs/$name"
kadmin.local -q "addprinc -randkey cifs/$name"
kadmin.local -q "ktadd cifs/$name"
kadmin.local -q "addprinc -randkey ldap/$name"
kadmin.local -q "ktadd -k /etc/krb5.keytab.ldap ldap/$name"
kadmin.local -q "addprinc -randkey imap/$name"
kadmin.local -q "ktadd -k /etc/krb5.keytab.imap imap/$name"
kadmin.local -q "addprinc -randkey smtp/$name"
kadmin.local -q "ktadd -k /etc/krb5.keytab.smtp smtp/$name"
done
chown dovecot:dovecot /etc/krb5.keytab.imap
chown openldap:openldap /etc/krb5.keytab.ldap
chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp
However, I don't know if working with that mess of principals is a
good idea in the end. From a first look it seems like making an
already complicated and hard-to-debug-thing even more confusing, which
also applies to moving individual services to other machines.
Best regards,
Andi
Reply to: