Machine account password interoperablity for Samba 3.0
secrets.tdb and keytabs
Andrew Bartlett
abartlet at samba.org
Fri Mar 21 22:12:23 GMT 2003
On Sat, 2003-03-22 at 06:15, Matt Peterson wrote:
> Hi,
>
> In situations where people are operating in a "kerberized" environment where
> Win2k is the KDC, machine objects will have already been created for machines
> that are participating in the kerberos realm.
>
> Am I wrong in thinking that there is an interoperability problem with the
> current "net" utility implementation? It appears as though the "net ads
> join", and net ads chostpass" commands operate with out regard to the fact
> that there may be other applications that rely on keytab files with host
> principals and passwords that have already been set.
>
> Indeed, this is the case for installations where Win2k kerberos interop is
> already being used. When trying to configure Samba 3.0 in these
> environments, "net ads join", and net ads chostpass" will happily change the
> machine account password with out allowing any way for keytab based
> applications to update their keytab with tne new host principal password.
Yes. This is a problem. In the past I have favored a 'krb5 keytab
write' option that would write our password out into the standard
keytab, but there were good reasons not to. The problem is, I can't
remember what they were. Mostly 'if somebody changed our password under
us' stuff.
> Samba could allow for a much greater degree of interopablity with other
> kerberized applications if there were some way of getting and setting the
> machine account password in the secrets.tdb. This way host principal
> passwords in external keytab files could be syncronized with the password
> being used by samba from the secrets.tdb.
>
> Perhaps this is an overly simplistic approach, but it is possible that many
> potential interoperablity conflicts could be solved by providing "net
> getmachinepw" and "net setmachinepw" commands. Since the machine account
> password is stored in clear text already, these new commands would be very
> easy add.
Patches welcome, the last 2 we should have, no matter the long term
solution.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030322/3e09e14e/attachment.bin
More information about the samba-technical
mailing list