Machine account password interoperablity for Samba 3.0 secrets.tdb and keytabs

[Matt Peterson]

Hi,

In situations where people are operating in a "kerberized" environment where 
Win2k is the KDC, machine objects will have already been created for machines 
that are participating in the kerberos realm.  

Am I wrong in thinking that there is an interoperability problem with the 
current "net" utility implementation?  It appears as though the "net ads 
join", and net ads chostpass" commands operate with out regard to the fact 
that there may be other applications that rely on keytab files with host 
principals and passwords that have already been set. 

 Indeed, this is the case for installations where Win2k kerberos interop is 
already being used.  When trying to configure Samba 3.0 in these 
environments, "net ads join", and net ads chostpass" will happily change the 
machine account password with out allowing any way for keytab based 
applications to update their keytab with tne new host principal password.

Samba could allow for a much greater degree of interopablity with other 
kerberized applications if there were some way of getting and setting the 
machine account password in the secrets.tdb.  This way host principal 
passwords in external keytab files could be syncronized with the password 
being used by samba from the secrets.tdb.

Perhaps this is an overly simplistic approach, but it is possible that many 
potential interoperablity conflicts could be solved by providing "net 
getmachinepw" and "net setmachinepw" commands.   Since the machine account 
password is stored in clear text already, these new commands would be very 
easy add. 

Comments?

--
Matt