krb5.keytab

berni berni at ask-us.at
Thu Sep 25 20:00:13 GMT 2003 

Hi,

This list is the only place in the whole internet, where I found anything
about the keytab. Though, I hope I'm in the right place for my question:

I've installed samba-3.0.0rc2 a while ago and retried with the final
samba-3.0.0 today. I'm using freebsd-5.2 with krb5-1.27 (MIT), where all
compiled well (after removing a line in config.h that #defines
HAVE_GSSAPI_H)

After running "/usr/local/samba/bin/net ads join -U Administrator", I could
immediatly login to the samba-server with win2k, and also smbclient did work
like expected. (yeah!!!)

But now, I have a big problem: samba will remain the only kerberized service
on my freebsd-box as long as I cannot find a way to get the password
(generated by the net utility) for the host/hostname at REALM principal into my
/etc/krb5.conf!

int net_ads_join(int argc, const char **argv)
...
    in net_ads.c: tmp_password =
generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
...

I tried to make "net" dump out the above password to stdout and added
entries to /etc/krb5.conf with ktutil:
addent -password -p host/hostname.full-domain.at at REALM -k 1 -e des-cbc-crc

:::: Before I forget: I also had to add the mapping for
host/hostname.full-domain.at at REALM to the machine account on the win2k
server:
:::: ktpass -princ hostname.full-domain.at at REALM -mapuser hostname$ -mapOp
add

It didn't work! Should it ? Is the "PATCH samba 3-keytab", you are talking
about all the time, what I would need instead ?
Is there another way to do this ?
Is it a bug ?

Another thing I tried, was to setup a new machine account in the domain
called hostname-host. But mapping the host/hostname.fulldomain.at at REALM to
this account didn't make the principal accessible. I think it might be
masked by the first machine-account and principal.

I guess there must be a way to use samba 3 together with other kerberized
software! I would love to see the net utility automatically setup the
host/hostname.fulldomain.at at REALM key(s) in /etc/krb5.keytab. This would be
the most comfortable way to join a machine into the domain! No more ktpass
on Windows!

Thank you for any help on this.
regards,
$bern1;

More information about the samba-technical mailing list