HP CIFS Server 3.0d Administrator's Guide version A.02.02 (Edition 5)
Kerberos Support
HP-UX Kerberos Application Co-existence
Chapter 8 187
Step 3. To configure the HP CIFS Server to read /etc/krb5.keytab, set the
use kerberos keytab parameter in /etc/opt/samba/smb.conf to
yes.
An example of /etc/opt/samba/smb.conf is as follows:
[global]
workgroup = MYREALM
realm = MYREALM.HP.COM
netbios name = atcux5
server string = Samba Server
interfaces = 15.43.214.58
bind interfaces only = Yes
security = ADS
password server = HPATCWIN2K4.MYREALM.HP.COM
use kerberos keytab = yes
Step 4. Validate your configuration by starting the HP CIFS Server, logging on
to the domain with clients, and mounting an HP CIFS share.
Now the HP CIFS Server can authorize the Windows client to access the
server share, using Kerberos in the Windows domain and the keytab file
on the HP CIFS Server. However, an HP-UX Internet Services user
cannot gain system access using Kerberos with the system in this state.
Kerberos Modification for Internet Services
The Internet Services product utilizes its own Kerberos library set that
is delivered with the product. This library set does not recognize the
WRFILE attribute in the /etc/krb5.conf file as a valid attribute.
Therefore, the default_keytab_name parameter is invalid, and the
Internet Services application cannot find the Kerberos keytab file to
access the secret key.
To modify this configuration for HP-UX Internet Services interoperation,
you must modify the /etc/krb5.conf file to remove or comment out the
WRFILE attribute. This does not affect HP CIFS Server authentication,
because the krb5.conf default_keytab_name parameter is only used
by HP CIFS Server for the creation of the /etc/krb5.keytab file.
The following shows an sample of /etc/krb5.conf for HP-UX Internet
Services interoperation:
# Kerberos configuration