Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals

["Andreas B. Mundt" <andi.mundt@web.de>]

On Wed, Jan 05, 2011 at 07:10:24PM +0100, Petter Reinholdtsen wrote:
[...]
> > I am not an expert regarding that stuff and I don't know if there
> > are other ways to achieve the desired. However, it looks as with the
> > current setup we need service principals for all host aliases.
> 
> That isn't too bad, is it?  It can be added automatically at install
> time, right?
> 

Yes, the creation of the principals is done during installation. The
script kerberos-kdc-init would contain something like:

    for name in tjener.intern kerberos.intern ldap.intern domain.intern postoffice.intern syslog.intern; do 
        ## create machine principals and add them to the keytab:
        kadmin.local -q "addprinc -randkey host/$name"
        kadmin.local -q "ktadd host/$name"
        ## create service principals and add them to the keytab:
        kadmin.local -q "addprinc -randkey nfs/$name"
        kadmin.local -q "ktadd nfs/$name"
        kadmin.local -q "addprinc -randkey cifs/$name"
        kadmin.local -q "ktadd cifs/$name"
        kadmin.local -q "addprinc -randkey ldap/$name"
        kadmin.local -q "ktadd -k /etc/krb5.keytab.ldap ldap/$name"
        kadmin.local -q "addprinc -randkey imap/$name"
        kadmin.local -q "ktadd -k /etc/krb5.keytab.imap imap/$name"
        kadmin.local -q "addprinc -randkey smtp/$name"
        kadmin.local -q "ktadd -k /etc/krb5.keytab.smtp smtp/$name"
    done
    chown dovecot:dovecot /etc/krb5.keytab.imap
    chown openldap:openldap /etc/krb5.keytab.ldap
    chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp

However, I don't know if working with that mess of principals is a
good idea in the end. From a first look it seems like making an
already complicated and hard-to-debug-thing even more confusing, which
also applies to moving individual services to other machines.

Best regards,

     Andi