Support of existing krb5 keytab files.

Andrew Bartlett abartlet at
Wed Oct 1 01:12:40 GMT 2003

On Wed, 2003-10-01 at 10:58, Jeremy Allison wrote:
> Hi all,
> 	I'm looking into modifying Samba for the 3.0.1 release so that it will
> support existing krb5 keytab files. The easiest way to do this is to allow
> an smb.conf option "use krb5 keyab" or something similar which will cause
> smbd not to look in the secrets.tdb for the server account password and to
> change the kerberos_verify code to just use default arguments to get the
> installed krb5 keytab for this server.
> The problem with this is that existing server passwords in secrets.tdb
> would be ignored. 

We would still need to add krb5 keytab parsing code, to read the machine
password for use with NT4-style authentication.   The particular problem
here is that often the type-23 key is not written by default, if the
library supports it at all...  

> The second option is to provide a way to export existing server passwords
> from secrets.tdb into a standard krb5 keytab. Of course, Heimdal and MIT
> do this differently (bastards :-) making life hell for app developers,
> and also there is the question of what kvno to use. W2K AD controllers
> don't change the kvno on machine account password update, W2K3 AD controllers
> do. According to Luke Howard there is an LDAP query to get the existing
> kvno for a current machine account password, but this is getting more
> and more complicated to code. And that's not even mentioning the possibility
> of differing encryption types... :-(.

If it's not impossible to code, I really think this is the right
option.  Keeping the plaintext password, along with the relevant
meta-data (last change time etc) in secrets.tdb would seem the best
option to me.

> As I'm not currently running krb5 samba servers in production, but
> just testing and writing the code, I'd appreciate some advice on the
> correct way to proceed from people who are using this in production
> and from vendors shipping krb5 etc.

Thanks for taking this on!

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list