Ubuntu-Join-Client: Host keytab


#1

Hi,

at the moment I try to get some UCC experiences with the “new” join client. Unluckily the client doesn’t create a host keytab for kerberizing services like SSH. It would be very nice if this functionality could be implemented.

In the meantime: How can I do this myself?

Cheers,
SirTux


#2

I’ve ported the UCC way to Ubuntu. I shouldn’t be difficult to implement this in the join assistant, so I don’t understand why this isn’t implemented yet.

Also it shouldn’t be a problem to copy the host certificate to the Ubuntu system.

EDIT: Corrected second sentence


#3

The possibility to specify a site DC that is used instead of the master DC would also be very helpful.


#4

Hey,

Joining an Ubuntu client to the domain requires creating an object in the OpenLDAP server, and all write operations against the OpenLDAP server must always be done on the DC Master. The OpenLDAP sync structure to other UCS DCs is unidirectional: from the DC Master to all the other servers.

This is different from joining Windows clients as Windows clients join against the Samba AD DC, and all AD DCs have bidirectional sync. When a Windows client joins, the corresponding server objects are created in the site’s Samba DC. From there they’re replicated to all the other Samba DCs which includes one on your UCS DC Master. From there the S4 connector syncs the object from the Samba DC to the OpenLDAP.

So while it would be possible to retrieve certain information from a site DC (most likely a UCS DC Slave), it wouldn’t actually help all that much as DC Master would still have to be contacted for any write operation.

Kind regards
mosu


#5

Hi,

I know sync structure of UCS.

My request was to allow to specify a site DC that will be used for the authentication process. This was possible with UCC.

Kind regards,
SirTux


#6

Ah, I see. That wasn’t exactly clear from your earlier question. I don’t know the answer to that.


#7

No problem :slight_smile:

I’ve tested already to change the files manually but the authentication process hasn’t been working properly afterwards.