[PATCH] keytab management for ADS mode.
rapatel at optonline.net
Tue Jan 27 01:43:20 GMT 2004
Andrew, giving some thought to the process and reviewing additional
Samba code, if using a Kerberos
environment without Win2K/AD, the "keytab use" is adequate since machine
passwords are only used
for code which uses NTLM or managing the machine password with AD/KDC,
which is not expected
of Samba. Obviously this has very limited use since it can not be used
with a Domain and AD. Other
than a workgroup situation, it almost has no value [ however I am able
to use it without problems at home].
For the situation where a Windows2003/2000 Domain with AD is utilized
and external KDC, I suggest
the scenario may be as follows:
workgroup = NAME
realm = NAME.DOMAIN
security = ads
password server = name/ip of non-Windows KDC
ads server = name/ip of AD server [ this would need to be implemented
from a cursory look of the code
to separate the AD server from KDC]
The existing host keytab would need to be deleted from the KDC and and a
"net ads join" would need to
be run using an admin principal with appropriate permissions to
set/create a password on the MIT/Heimdal
KDC as well as permissions ot join the machine to the Windows
Domain/AD. I'm not sure what process
is involved in joining a machine to the Win2K Domain/AD beyond using the
kerberos password changing protocol and LDAP to AD to create a machine
(computer) account. Obviously this would need significant testing,
however the machine password would then be stored in secrets.tdb for
NTLM compatability as well as
use by all routines not yet re-coded to support using
krb5_get_init_creds_keytab() in place of using
secrets_fetch_machine_password() and doing an equivalent of
krb5_get_init_creds_password() to initialize the credentials.
While it may seem drastic to expect the host principal to be re-created
and managed through Samba, it
may be the best approach given it would be for a Win2K/AD environment
with just the KDC externalized.
I am assuming that MIT/Heimdal now support the same password changing
protocol supported by Microsoft.
Andrew Bartlett wrote:
>On Mon, 2004-01-26 at 07:40, Rakesh Patel wrote:
>>Another version of the patch [for 3.0.2rc1] is attached. This time
>>"keytab use" is implemented and
>>some minor bugs related to error codes which normally would not be
>>called were fixed.
>>The "keytab use" command allows the use of an existing keytab file,
>>which is important for
>>those utilizing a non-Windows KDC in a workgroup environment. Testing is
>>a Windows 2000/2003 Domain with Active Directory is utilized, but with
>>external [non-Windows] KDC.
>I am concerned about the interactions between this code and the use of
>the machine account password for NETLOGON binds, and our need to use the
>machine's kerberos account to connect to DCs.
>At the very least, we should retrieve the type-23 password from the
>keytab, and return that at appropriate paces in secrets.c, and we need
>to be able to request service tickets from this cache. (Currently we
>kinit with this password).
>Even if this is not intended to be used with a Windows KDC, we are going
>to have to do a lot to 'idiot-proof' the system. Admins *will* enable
>every options that sounds interesting, no matter what it does, and
>without reading the documentation.
More information about the samba-technical