PATCH: Another revision to enable / enhance use of the system keytab

Dan Perry dperry at
Fri Apr 16 15:27:16 GMT 2004

Hi all,

Here's another revision of a patch to enable use of the system keytab.   This
version of the patch that addresses the following two items:

1) Cleanup of the service principals list for a computer account in active
directory is now cleanly done.   Older service principals are properly
removed from active directory computer account when things are flushed from
the system keytab.

2) Added a 'net ads delegation' command that turns on (or off) Kerberos
delegation a Windows 2003 domain.   This is useful as it enables the Kerberos
delegation for the computer accounts in active directory to perform to
properly delegate principals

-----Original Message-----
From: Dan Perry 
Sent: Wednesday, April 14, 2004 9:13 AM
To: 'samba-technical at'
Subject: PATCH: Slightly revised patch to enable use of the system keytab

Hi all,

Here's another, slightly revised version of a keytab patch that incorporates
some changes based upon comments I've received from the last patch I sent a
few days ago.  Below is a bit of background / documentation on the patch.

Again, this patch was done again samba-3.0.3pre2, and was tested using a
Windows 2003 domain and MIT Kerberos 1.3.{1,2,3}.  However, this patch should
also work in a Windows 2000 environment and with other versions of Kerberos.


----------- Info on the patch ------------

What does this patch do?

This patch changes the default storage location for Kerberos keytabs to the
system keytab file.   This allows other applications, such as SSH, AFS, LDAP
servers, etc. to use the same keytabs samba does.   Also, this patch provides
some additional commands to the net utility that allow keytabs to be created
/ updated / managed in a convenient manner.

Why would I want to apply this patch?

This patch was originally designed for a network in which active directory
will be serving as a Kerberos server for both Linux and Windows machines.   
Without this patch, such an environment will most likely encounter problems
like those described in samba bug #538 (see for

How do I get started once I've applied this patch?

Once you have the patch applied and have samba built and installed, you'll
need to add the following line to the global section of smb.conf:
    Keytab file = /path/to/file.keytab
A typical path is /etc/krb5.keytab.  Check your Kerberos documentation you
may to determine the desired place for your keytab file.   Once this is done,
use 'kinit' to appropriate credentials for your domain (or you can let net
does this for you), and use 'net ads join' to join (or re-join) your samba
machine to Active Directory.  If all goes well, your keytab file will be
populating after the join.   To check this, use 'klist -k' to check the
contents of the file.   Once this is done, you'll be able to have other
applications, such as openssh, take advantage of the system keytab and do
Kerberos authentication.

How do I add other principals to my keytab?

To support other applications, such as an LDAP server, you may want to add
other principals.  To do this, use 'net ads keytab add XXXXX', where XXXXX is
the name of the principal you wish to add.   Note that custom principals will
NOT be preserved if you do:
    net ads keytab create
    net ads join
    net ads keytab flush
    net ads changetrustpw
after creating your keytab and adding custom principals.   The above commands
will reset your keytab to a default state in order to assure that samba is
working correctly.   If you need to run / accidentally run one of the above
commands and lose your custom principal, it can easily be recreated by
re-running 'net ads keytab add XXXXX'.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: keytab.v4.samba-3.0.3pre2.diff
Type: application/octet-stream
Size: 41336 bytes
Desc: keytab.v4.samba-3.0.3pre2.diff
Url :

More information about the samba-technical mailing list