PATCH: Slightly revised patch to enable use of the system keytab
Dan Perry
dperry at pppl.gov
Wed Apr 14 13:13:14 GMT 2004
Hi all,
Here's another, slightly revised version of a keytab patch that incorporates
some changes based upon comments I've received from the last patch I sent a
few days ago. Below is a bit of background / documentation on the patch.
Again, this patch was done again samba-3.0.3pre2, and was tested using a
Windows 2003 domain and MIT Kerberos 1.3.{1,2,3}. However, this patch should
also work in a Windows 2000 environment and with other versions of Kerberos.
-Dan
----------- Info on the patch ------------
What does this patch do?
This patch changes the default storage location for Kerberos keytabs to the
system keytab file. This allows other applications, such as SSH, AFS, LDAP
servers, etc. to use the same keytabs samba does. Also, this patch provides
some additional commands to the net utility that allow keytabs to be created
/ updated / managed in a convenient manner.
Why would I want to apply this patch?
This patch was originally designed for a network in which active directory
will be serving as a Kerberos server for both Linux and Windows machines.
Without this patch, such an environment will most likely encounter problems
like those described in samba bug #538 (see https://bugzilla.samba.org for
details).
How do I get started once I've applied this patch?
Once you have the patch applied and have samba built and installed, you'll
need to add the following line to the global section of smb.conf:
Keytab file = /path/to/file.keytab
A typical path is /etc/krb5.keytab. Check your Kerberos documentation you
may to determine the desired place for your keytab file. Once this is done,
use 'kinit' to appropriate credentials for your domain (or you can let net
does this for you), and use 'net ads join' to join (or re-join) your samba
machine to Active Directory. If all goes well, your keytab file will be
populating after the join. To check this, use 'klist -k' to check the
contents of the file. Once this is done, you'll be able to have other
applications, such as openssh, take advantage of the system keytab and do
Kerberos authentication.
How do I add other principals to my keytab?
To support other applications, such as an LDAP server, you may want to add
other principals. To do this, use 'net ads keytab add XXXXX', where XXXXX is
the name of the principal you wish to add. Note that custom principals will
NOT be preserved if you do:
net ads keytab create
net ads join
net ads keytab flush
net ads changetrustpw
after creating your keytab and adding custom principals. The above commands
will reset your keytab to a default state in order to assure that samba is
working correctly. If you need to run / accidentally run one of the above
commands and lose your custom principal, it can easily be recreated by
re-running 'net ads keytab add XXXXX'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keytab.v3.samba-3.0.3pre2.diff
Type: application/octet-stream
Size: 33950 bytes
Desc: keytab.v3.samba-3.0.3pre2.diff
Url : http://lists.samba.org/archive/samba-technical/attachments/20040414/2a26939e/keytab.v3.samba-3.0.3pre2.obj
More information about the samba-technical
mailing list