Support of existing krb5 keytab files.
jra at samba.org
Wed Oct 1 00:58:08 GMT 2003
I'm looking into modifying Samba for the 3.0.1 release so that it will
support existing krb5 keytab files. The easiest way to do this is to allow
an smb.conf option "use krb5 keyab" or something similar which will cause
smbd not to look in the secrets.tdb for the server account password and to
change the kerberos_verify code to just use default arguments to get the
installed krb5 keytab for this server.
The problem with this is that existing server passwords in secrets.tdb
would be ignored.
The second option is to provide a way to export existing server passwords
from secrets.tdb into a standard krb5 keytab. Of course, Heimdal and MIT
do this differently (bastards :-) making life hell for app developers,
and also there is the question of what kvno to use. W2K AD controllers
don't change the kvno on machine account password update, W2K3 AD controllers
do. According to Luke Howard there is an LDAP query to get the existing
kvno for a current machine account password, but this is getting more
and more complicated to code. And that's not even mentioning the possibility
of differing encryption types... :-(.
As I'm not currently running krb5 samba servers in production, but
just testing and writing the code, I'd appreciate some advice on the
correct way to proceed from people who are using this in production
and from vendors shipping krb5 etc.
More information about the samba-technical