Machine account password interoperablity for Samba 3.0 secrets.tdb and keytabs

[Matt Peterson]

Andrew,

On Friday 21 March 2003 03:12 pm, Andrew Bartlett wrote:
> On Sat, 2003-03-22 at 06:15, Matt Peterson wrote:
> > Hi,
> >
> > In situations where people are operating in a "kerberized" environment
> > where Win2k is the KDC, machine objects will have already been created
> > for machines that are participating in the kerberos realm.
> >
> > Am I wrong in thinking that there is an interoperability problem with the
> > current "net" utility implementation?  It appears as though the "net ads
> > join", and net ads chostpass" commands operate with out regard to the
> > fact that there may be other applications that rely on keytab files with
> > host principals and passwords that have already been set.
> >
> >  Indeed, this is the case for installations where Win2k kerberos interop
> > is already being used.  When trying to configure Samba 3.0 in these
> > environments, "net ads join", and net ads chostpass" will happily change
> > the machine account password with out allowing any way for keytab based
> > applications to update their keytab with tne new host principal password.
>
> Yes. This is a problem.  In the past I have favored a 'krb5 keytab
> write' option that would write our password out into the standard
> keytab, but there were good reasons not to.  The problem is, I can't
> remember what they were.  Mostly 'if somebody changed our password under
> us' stuff.

One problem with this approach is the question of  "where is standard 
keytab?".  It turns out that with both MIT and Heimdal, the location of the 
"standard" keytab can be set with an environment variable and in the 
krb5.conf file.  Is suppose that you could use the the MIT/Heimdal keytab 
APIs and allow the implementation to figure this out for you...    

> > Samba could allow for a much greater degree of interopablity with other
> > kerberized applications if there were some way of getting and setting the
> > machine account password in the secrets.tdb.  This way host principal
> > passwords in external keytab files could be syncronized with the password
> > being used by samba from the secrets.tdb.
> >
> > Perhaps this is an overly simplistic approach, but it is possible that
> > many potential interoperablity conflicts could be solved by providing
> > "net getmachinepw" and "net setmachinepw" commands.   Since the machine
> > account password is stored in clear text already, these new commands
> > would be very easy add.
>
> Patches welcome, the last 2 we should have, no matter the long term
> solution.

I will send the patch first on Monday.  

Cheers,

--
Matt