[PATCH] keytab management for ADS mode.

RakeshPatel at TDWaterhouse.com RakeshPatel at TDWaterhouse.com
Tue Jan 20 17:00:23 GMT 2004

The attached patch is based upon the patches posted by Guenther Deschner of
SuSE Linux AG.


The patch is based upon 3.0.2rc1 and  implements the management of MIT
keytab files through the use of "net ads" commands. Testing is required for


New configuration options:


Keytab file  = /etc/krb5.keytab  ; specify the keytab file to be utilized.


Keytab update = yes/no  ; specify whether "net ads changetrustpw" should
update the keytab file or not.

                                    If keytab update is set to 'yes',  net
ads join will automatically update/create the keytab file.


As long as the keytab file is specified, "net ads keytab create" will create
or update the keytab file using the current key version.


The patch utilizes the version number of the host key to ensure the keytab
has the correct version. Windows 2000

Did not support key version numbers, so the patch needs to be tested against
a Windows 2000 KDC to ensure it does not result in segmentation violations
or invalid key version numbers.


The intent of the patch is to utilize your Windows 2003 KDC/AD for managing
the host keytab and ensure Samba tools/services and other Kerberos services
can function simultaneously. The secrets.tdb is utilized to ensure the
ability to generate a new random key and update the keytab appropriately.
The advantage of utilizing the Samba facilities include support for
RC4-HMAC, support for random passwords as well as the ability to automate
and periodically change the host key(s).  This was not possible when using
"ktpass" as provided by Microsoft.


Please email comments/suggestions/fixes to rapatel at optonline.net
<mailto:rapatel at optonline.net>  or the samba-technical list.


Rakesh Patel.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.2rc1-krb-diffs-2004-01-20.1
Type: application/octet-stream
Size: 25936 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20040120/5abe62f8/samba-3.0.2rc1-krb-diffs-2004-01-20.obj

More information about the samba-technical mailing list