PATCH: Improved Keytab Functionality

Dan Perry dperry at pppl.gov
Mon Apr 12 15:33:03 GMT 2004 

Hi all,

Attached is patch for samba-3.03pre2 that enables use of the system keytab
file, and also adds some keytab management functions to the net utility.
This patch is heavily based on the one submitted a few days ago (and also a
few months ago) by Rakesh Patel.

The main differences between the patches that Rakesh has submitted and the
one attached are as follows are this patch uses samba to automatically create
new keytab principals for any given principal, not just HOST and CIFS.  An
example of this 'keytab fetching' is shown below.   Also, the get_kvno
function in the original patch did not always work correctly, and was a very
dense piece of code.   I replaced this with a simple LDAP query for the
msDS-KeyVersionNumber attribute in Active Directory (present on every
computer account) that contains the current KVNO.  Rather then trying to
determine the KVNO using Kerberos API's, I simply query out the current KVNO
using LDAP.   Finally, I removed the 'keytab update' parameter, and made
updating the system keytab the default.   It seemed odd to have the option to
not update the system keytab.

This extra functionality is extremely useful in my efforts to get Linux boxes
to participate in Active Directory, and hopefully others will find it useful
as well.  In case it helps, this patch is currently being used on Redhat
enterprise Linux 3 systems, running MIT Kerberos 1.3.2.   The domain used is
running Windows 2003.   I don't think that any of the changes in this patch
are depend on the versions of Kerberos or Active Directory, but I haven't
really tested outside of the environment at work.  

Let me know any comments you have on this patch.    

Thanks,
-Dan 



----------- Extended Keytab Fetching Example -----------------

Where I work, we have a large Active Directory Domain, and also an NIS realm
to service the Linux systems.   It would be nice to consolidate the two sets
of accounts into one - so we are looking at moving to Active Directory only.
The biggest hurdle we have now in doing this is how to distribute keytabs;
Microsoft's ktpass.exe is goofy at best.   Rakesh's patch enabled me to use
samba's net utility to fetch HOST and CIFS principals and install them in the
system keytab file, so that other applications, such as openssh, could use
the principals.

My patch allows any principal to be fetched.   In the case of our LDAP
servers, I can do the following:

$ klist -k
Keytab Name: FILE:/etc/krb5.keytab
KVNO Principal
---- ---------------------------------------------------------
$ kinit admin
Password for admin at REALM:
$ net ads join
JOINED 'LDAPSERVER' to realm 'REALM'
$ klist -k
KVNO Principal
---- ---------------------------------------------------------
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
$ net ads keytab create ldap
$ klist -k
KVNO Principal
---- ---------------------------------------------------------
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 host/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 cifs/ldapserver.realm at REALM
   2 ldap/ldapserver.realm at REALM
   2 ldap/ldapserver.realm at REALM
   2 ldap/ldapserver.realm at REALM
   2 ldap/ldapserver.realm at REALM
   2 ldap/ldapserver.realm at REALM
   2 ldap/ldapserver.realm at REALM

What I've doing using the keytab fetching feature is to first join the
machine to the AD domain (standard 'net ads join'), which creates the HOST
and CIFS service principals in the system keytab.   Then, I want to add an
LDAP service principal, which I do using 'net ads keytab create ldap'.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: keytab.samba-3.0.3pre2.diff
Type: application/octet-stream
Size: 34271 bytes
Desc: keytab.samba-3.0.3pre2.diff
Url : http://lists.samba.org/archive/samba-technical/attachments/20040412/df0659cc/keytab.samba-3.0.3pre2.obj

More information about the samba-technical mailing list