[PATCH] keytab management for ADS mode.

Rakesh Patel rapatel at optonline.net
Tue Jan 27 01:43:20 GMT 2004

Andrew, giving some thought to the process and reviewing additional 
Samba code, if using a Kerberos
environment without Win2K/AD, the "keytab use" is adequate since machine 
passwords are only used
for code which uses NTLM or managing the machine password with AD/KDC, 
which is not expected
of Samba.  Obviously this has very limited use since it can not be used 
with a Domain and AD. Other
than a workgroup situation, it almost has no value [ however I am able 
to use it without problems at home].

For the situation where a Windows2003/2000 Domain with AD is utilized 
and external KDC, I suggest
the scenario may be as follows:

workgroup = NAME
security = ads
password server = name/ip of non-Windows KDC
ads server = name/ip of AD server  [ this would need to be implemented 
from a cursory look of the code
    to separate the AD server from KDC]

The existing host keytab would need to be deleted from the KDC and and a 
"net ads join" would need to
be run using an admin principal with appropriate permissions to 
set/create a password on the MIT/Heimdal
KDC as well as permissions ot join the machine to the Windows 
Domain/AD.  I'm not sure what process
is involved in joining a machine to the Win2K Domain/AD beyond using the 
kerberos password changing protocol and LDAP to AD to create a machine 
(computer) account. Obviously this would need significant testing,
however the machine password would then be stored in secrets.tdb for 
NTLM compatability as well as
use by all routines not yet re-coded to support using 
krb5_get_init_creds_keytab() in place of using 
secrets_fetch_machine_password() and doing an equivalent of 
krb5_get_init_creds_password() to initialize the credentials.

While it may seem drastic to expect the host principal to be re-created 
and managed through Samba, it
may be the best approach given it would be for a Win2K/AD environment 
with just the KDC externalized.

I am assuming that MIT/Heimdal now support the same password changing 
protocol supported by Microsoft.

Rakesh Patel.

Andrew Bartlett wrote:

>On Mon, 2004-01-26 at 07:40, Rakesh Patel wrote:
>>Another version of the patch [for 3.0.2rc1] is attached. This time 
>>"keytab use" is implemented and
>>some minor bugs related to error codes which normally would not be 
>>called were fixed.
>>The "keytab use" command allows the use of an existing keytab file, 
>>which is important for
>>those utilizing a non-Windows KDC in a workgroup environment. Testing is 
>>required where
>>a Windows 2000/2003 Domain with Active Directory is utilized, but with 
>>external [non-Windows] KDC.
>I am concerned about the interactions between this code and the use of
>the machine account password for NETLOGON binds, and our need to use the
>machine's kerberos account to connect to DCs.
>At the very least, we should retrieve the type-23 password from the
>keytab, and return that at appropriate paces in secrets.c, and we need
>to be able to request service tickets from this cache.  (Currently we
>kinit with this password).
>Even if this is not intended to be used with a Windows KDC, we are going
>to have to do a lot to 'idiot-proof' the system.  Admins *will* enable
>every options that sounds interesting, no matter what it does, and
>without reading the documentation.
>Andrew Bartlett

More information about the samba-technical mailing list