Machine account password interoperablity for Samba 3.0 secrets.tdb and keytabs

Andrew Bartlett abartlet at samba.org
Fri Mar 21 22:12:23 GMT 2003 

On Sat, 2003-03-22 at 06:15, Matt Peterson wrote:
> Hi,
> 
> In situations where people are operating in a "kerberized" environment where 
> Win2k is the KDC, machine objects will have already been created for machines 
> that are participating in the kerberos realm.  
> 
> Am I wrong in thinking that there is an interoperability problem with the 
> current "net" utility implementation?  It appears as though the "net ads 
> join", and net ads chostpass" commands operate with out regard to the fact 
> that there may be other applications that rely on keytab files with host 
> principals and passwords that have already been set. 
> 
>  Indeed, this is the case for installations where Win2k kerberos interop is 
> already being used.  When trying to configure Samba 3.0 in these 
> environments, "net ads join", and net ads chostpass" will happily change the 
> machine account password with out allowing any way for keytab based 
> applications to update their keytab with tne new host principal password.

Yes. This is a problem.  In the past I have favored a 'krb5 keytab
write' option that would write our password out into the standard
keytab, but there were good reasons not to.  The problem is, I can't
remember what they were.  Mostly 'if somebody changed our password under
us' stuff.  

> Samba could allow for a much greater degree of interopablity with other 
> kerberized applications if there were some way of getting and setting the 
> machine account password in the secrets.tdb.  This way host principal 
> passwords in external keytab files could be syncronized with the password 
> being used by samba from the secrets.tdb.
> 
> Perhaps this is an overly simplistic approach, but it is possible that many 
> potential interoperablity conflicts could be solved by providing "net 
> getmachinepw" and "net setmachinepw" commands.   Since the machine account 
> password is stored in clear text already, these new commands would be very 
> easy add. 

Patches welcome, the last 2 we should have, no matter the long term
solution.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030322/3e09e14e/attachment.bin

More information about the samba-technical mailing list