Patch: System keytab usage improvements

Dan Perry dperry at pppl.gov
Mon May 31 22:20:12 GMT 2004 

Hi all,

Here is a patch to samba-3.0.5pre1 that enables use of a file system keytab,
and enhances keytab functionality.   You can download the patch from here:

http://www.pppl.gov/~dperry/patches/keytab.v5.samba-3.0.5pre1.diff

This patch is a combination of the previous patches I've submitted, and
applying it will do the following things:


- adds a set of 'net ads keytab' commands

- makes 'net ads join' write out a keytab with, at minimum, host and cifs
entries, to the default system keytab.

- makes 'net ads changetrustpw' update all entries in the system keytab when
the password is changed.

- determines the kvno from a windows 2003 domain controller by doing an ldap
lookup.   The kvno for a 2000 domain is always 0.

- uses a fully qualified domain name for the keytab entries, instead of a
netbios style name.

- keeps the older (current kvno - 1) entries in the system keytab when the
machine password is changed.   This prevents clients with existing session
tickets for breaking when the machine password is changed and the kvno
increments.   This behavior is exactly what Microsoft does.

- makes smbd's kerberos_verify() routine check the default system keytab.
Since the default system keytab will have entries with the current kvno and
kvno - 1, as per the comment above, this allows smbd to use the older kvno -1
keytab entry and prevents a machine password change from interrupting exist
client sessions.

- adds 'net ads keytab add <principal>' command that allows net to add other
entries into the keytab, for other kerberized service like ldap or afs.

- adds 'net ads keytab flush' which cleans out all entries in the keytab,
allowing you to prevent the kvno - 1 entries from being preserved in the
keytab, if you so desire.

- adds 'net ads keytab create' which creates a new keytab based on the
existing machine password.

- makes sure that any custom principals added to the keytab using 'net ads
keytab add' or another program are both preserved and updated on a machine
password change.


Unlike the older versions of this patch, no new configuration file or compile
time options are introduced.   This patch is designed to use the system
keytab if possible, otherwise samba will ignore the new code and work exactly
as it did before the patch.

Let me know your comments on this patch.

Thanks,
Dan Perry

More information about the samba-technical mailing list