samba + w2k + kerberos + trusted realm

[Steve Langasek]

On Sun, Mar 02, 2003 at 01:44:22AM +0100, Love wrote:

> >> - Using a keytab file would solve the problem below. Using /etc/krb5.keytab
> >> is bad idea, how about a own keytab for samba ? Doing hoops of strace stuff
> >> seems, well, strange.

> > Why is using /etc/krb5.keytab a bad idea?  The only reason I've ever seen
> > for using separate keytabs is if you want different services to run in
> > separate security contexts.  Samba has to run as root, so
> > /etc/krb5.keytab seems appropriate to me (as much as any keytab is
> > appropriate -- there seem to still be some issues with using the keytab
> > at all).

> What is it that limit samba to root ? When I use samba with afs beeing root
> will certenly not help samba access files, what else do samba need.

While you wouldn't need to be root to gain access to a user's AFS-based
files, uid-based access control is at the core of Samba's current
implementation.  Using an alternative keytab is only a benefit if this
changes.

> This is not what I free is the important part of my mail. And the only
> reason why I did the comment was that the comment in the samba code that
> did hoops to store the key in the auth context instead of just using a
> keytab.

Well, it's the part I felt I could comment on, since I don't know the
Samba Kerberos code all that well. :)  It is my understanding that the
key is being stored in the secrets file instead of in a keytab because
Samba also needs to have the plaintext password for salting, so until
this is addressed, storing the keys in a keytab would only serve to
confuse admins familiar with traditional Unix keytab handling.  Or has
this been addressed when I wasn't looking?

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030301/6cba3c32/attachment.bin