Support of existing krb5 keytab files.

Andrew Bartlett abartlet at samba.org
Wed Oct 1 01:12:40 GMT 2003 

On Wed, 2003-10-01 at 10:58, Jeremy Allison wrote:
> Hi all,
> 
> 	I'm looking into modifying Samba for the 3.0.1 release so that it will
> support existing krb5 keytab files. The easiest way to do this is to allow
> an smb.conf option "use krb5 keyab" or something similar which will cause
> smbd not to look in the secrets.tdb for the server account password and to
> change the kerberos_verify code to just use default arguments to get the
> installed krb5 keytab for this server.
> 
> The problem with this is that existing server passwords in secrets.tdb
> would be ignored. 

We would still need to add krb5 keytab parsing code, to read the machine
password for use with NT4-style authentication.   The particular problem
here is that often the type-23 key is not written by default, if the
library supports it at all...  

> The second option is to provide a way to export existing server passwords
> from secrets.tdb into a standard krb5 keytab. Of course, Heimdal and MIT
> do this differently (bastards :-) making life hell for app developers,
> and also there is the question of what kvno to use. W2K AD controllers
> don't change the kvno on machine account password update, W2K3 AD controllers
> do. According to Luke Howard there is an LDAP query to get the existing
> kvno for a current machine account password, but this is getting more
> and more complicated to code. And that's not even mentioning the possibility
> of differing encryption types... :-(.

If it's not impossible to code, I really think this is the right
option.  Keeping the plaintext password, along with the relevant
meta-data (last change time etc) in secrets.tdb would seem the best
option to me.

> As I'm not currently running krb5 samba servers in production, but
> just testing and writing the code, I'd appreciate some advice on the
> correct way to proceed from people who are using this in production
> and from vendors shipping krb5 etc.

Thanks for taking this on!

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031001/870ee142/attachment.bin

More information about the samba-technical mailing list