samba + w2k + kerberos + trusted realm
Steve Langasek
vorlon at netexpress.net
Sun Mar 2 01:05:13 GMT 2003
On Sun, Mar 02, 2003 at 01:44:22AM +0100, Love wrote:
> >> - Using a keytab file would solve the problem below. Using /etc/krb5.keytab
> >> is bad idea, how about a own keytab for samba ? Doing hoops of strace stuff
> >> seems, well, strange.
> > Why is using /etc/krb5.keytab a bad idea? The only reason I've ever seen
> > for using separate keytabs is if you want different services to run in
> > separate security contexts. Samba has to run as root, so
> > /etc/krb5.keytab seems appropriate to me (as much as any keytab is
> > appropriate -- there seem to still be some issues with using the keytab
> > at all).
> What is it that limit samba to root ? When I use samba with afs beeing root
> will certenly not help samba access files, what else do samba need.
While you wouldn't need to be root to gain access to a user's AFS-based
files, uid-based access control is at the core of Samba's current
implementation. Using an alternative keytab is only a benefit if this
changes.
> This is not what I free is the important part of my mail. And the only
> reason why I did the comment was that the comment in the samba code that
> did hoops to store the key in the auth context instead of just using a
> keytab.
Well, it's the part I felt I could comment on, since I don't know the
Samba Kerberos code all that well. :) It is my understanding that the
key is being stored in the secrets file instead of in a keytab because
Samba also needs to have the plaintext password for salting, so until
this is addressed, storing the keys in a keytab would only serve to
confuse admins familiar with traditional Unix keytab handling. Or has
this been addressed when I wasn't looking?
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030301/6cba3c32/attachment.bin
More information about the samba-technical
mailing list