PATCH: Improved Keytab Functionality

Rakesh Patel rapatel at optonline.net
Mon Apr 12 18:30:52 GMT 2004 

Just to be clear - Geunther Deschner of SuSE Linux submitted the patch 
originally. :-)

Dan, I'll test your version of the patch - I definitely believe it is 
the direction we needed
to head with keytab support based upon prior discussions on the list.  
Hopefully the Samba
team agrees and we can move this forward.

Thanks!
Rakesh Patel.


Dan Perry wrote:

>Hi all,
>
>Attached is patch for samba-3.03pre2 that enables use of the system keytab
>file, and also adds some keytab management functions to the net utility.
>This patch is heavily based on the one submitted a few days ago (and also a
>few months ago) by Rakesh Patel.
>
>The main differences between the patches that Rakesh has submitted and the
>one attached are as follows are this patch uses samba to automatically create
>new keytab principals for any given principal, not just HOST and CIFS.  An
>example of this 'keytab fetching' is shown below.   Also, the get_kvno
>function in the original patch did not always work correctly, and was a very
>dense piece of code.   I replaced this with a simple LDAP query for the
>msDS-KeyVersionNumber attribute in Active Directory (present on every
>computer account) that contains the current KVNO.  Rather then trying to
>determine the KVNO using Kerberos API's, I simply query out the current KVNO
>using LDAP.   Finally, I removed the 'keytab update' parameter, and made
>updating the system keytab the default.   It seemed odd to have the option to
>not update the system keytab.
>
>This extra functionality is extremely useful in my efforts to get Linux boxes
>to participate in Active Directory, and hopefully others will find it useful
>as well.  In case it helps, this patch is currently being used on Redhat
>enterprise Linux 3 systems, running MIT Kerberos 1.3.2.   The domain used is
>running Windows 2003.   I don't think that any of the changes in this patch
>are depend on the versions of Kerberos or Active Directory, but I haven't
>really tested outside of the environment at work.  
>
>Let me know any comments you have on this patch.    
>
>Thanks,
>-Dan 
>
>
>
>----------- Extended Keytab Fetching Example -----------------
>
>Where I work, we have a large Active Directory Domain, and also an NIS realm
>to service the Linux systems.   It would be nice to consolidate the two sets
>of accounts into one - so we are looking at moving to Active Directory only.
>The biggest hurdle we have now in doing this is how to distribute keytabs;
>Microsoft's ktpass.exe is goofy at best.   Rakesh's patch enabled me to use
>samba's net utility to fetch HOST and CIFS principals and install them in the
>system keytab file, so that other applications, such as openssh, could use
>the principals.
>
>My patch allows any principal to be fetched.   In the case of our LDAP
>servers, I can do the following:
>
>$ klist -k
>Keytab Name: FILE:/etc/krb5.keytab
>KVNO Principal
>---- ---------------------------------------------------------
>$ kinit admin
>Password for admin at REALM:
>$ net ads join
>JOINED 'LDAPSERVER' to realm 'REALM'
>$ klist -k
>KVNO Principal
>---- ---------------------------------------------------------
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>$ net ads keytab create ldap
>$ klist -k
>KVNO Principal
>---- ---------------------------------------------------------
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 host/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 cifs/ldapserver.realm at REALM
>   2 ldap/ldapserver.realm at REALM
>   2 ldap/ldapserver.realm at REALM
>   2 ldap/ldapserver.realm at REALM
>   2 ldap/ldapserver.realm at REALM
>   2 ldap/ldapserver.realm at REALM
>   2 ldap/ldapserver.realm at REALM
>
>What I've doing using the keytab fetching feature is to first join the
>machine to the AD domain (standard 'net ads join'), which creates the HOST
>and CIFS service principals in the system keytab.   Then, I want to add an
>LDAP service principal, which I do using 'net ads keytab create ldap'.
>
>  
>

More information about the samba-technical mailing list