[PATCH] keytab management for ADS mode.

Andrew Bartlett abartlet at samba.org
Mon Jan 26 00:48:28 GMT 2004

On Mon, 2004-01-26 at 07:40, Rakesh Patel wrote:
> Another version of the patch [for 3.0.2rc1] is attached. This time 
> "keytab use" is implemented and
> some minor bugs related to error codes which normally would not be 
> called were fixed.
> The "keytab use" command allows the use of an existing keytab file, 
> which is important for
> those utilizing a non-Windows KDC in a workgroup environment. Testing is 
> required where
> a Windows 2000/2003 Domain with Active Directory is utilized, but with 
> external [non-Windows] KDC.

I am concerned about the interactions between this code and the use of
the machine account password for NETLOGON binds, and our need to use the
machine's kerberos account to connect to DCs.

At the very least, we should retrieve the type-23 password from the
keytab, and return that at appropriate paces in secrets.c, and we need
to be able to request service tickets from this cache.  (Currently we
kinit with this password).

Even if this is not intended to be used with a Windows KDC, we are going
to have to do a lot to 'idiot-proof' the system.  Admins *will* enable
every options that sounds interesting, no matter what it does, and
without reading the documentation.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040126/13a4bea3/attachment.bin

More information about the samba-technical mailing list