Machine account password interoperablity for Samba 3.0 secrets.tdb
and keytabs
Matt Peterson
mpeterson at center7.com
Fri Mar 21 19:15:58 GMT 2003
Hi,
In situations where people are operating in a "kerberized" environment where
Win2k is the KDC, machine objects will have already been created for machines
that are participating in the kerberos realm.
Am I wrong in thinking that there is an interoperability problem with the
current "net" utility implementation? It appears as though the "net ads
join", and net ads chostpass" commands operate with out regard to the fact
that there may be other applications that rely on keytab files with host
principals and passwords that have already been set.
Indeed, this is the case for installations where Win2k kerberos interop is
already being used. When trying to configure Samba 3.0 in these
environments, "net ads join", and net ads chostpass" will happily change the
machine account password with out allowing any way for keytab based
applications to update their keytab with tne new host principal password.
Samba could allow for a much greater degree of interopablity with other
kerberized applications if there were some way of getting and setting the
machine account password in the secrets.tdb. This way host principal
passwords in external keytab files could be syncronized with the password
being used by samba from the secrets.tdb.
Perhaps this is an overly simplistic approach, but it is possible that many
potential interoperablity conflicts could be solved by providing "net
getmachinepw" and "net setmachinepw" commands. Since the machine account
password is stored in clear text already, these new commands would be very
easy add.
Comments?
--
Matt
More information about the samba-technical
mailing list