[PATCH] keytab management for ADS mode.
Andrew Bartlett
abartlet at samba.org
Tue Jan 27 10:43:28 GMT 2004
On Tue, 2004-01-27 at 12:43, Rakesh Patel wrote:
> Andrew, giving some thought to the process and reviewing additional
> Samba code, if using a Kerberos
> environment without Win2K/AD, the "keytab use" is adequate since machine
> passwords are only used
> for code which uses NTLM or managing the machine password with AD/KDC,
> which is not expected
> of Samba. Obviously this has very limited use since it can not be used
> with a Domain and AD. Other
> than a workgroup situation, it almost has no value [ however I am able
> to use it without problems at home].
So, you are suggesting that there are sites where the NTLM and kerberos
password databases are separated, that AD trusts the external kerberos
database and as such Samba should use it for the kerberos machine account?
> I am assuming that MIT/Heimdal now support the same password changing
> protocol supported by Microsoft.
The issue is not that password change protocols, but the kerberos
administration protocols. Samba does not speak any of them, apart from
the 'microsoft' one, being LDAP get/set requests, and a password set
kerberos request.
I do not think it is wise for Samba to create the keytab in this
situation.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040127/a4cbcf1c/attachment.bin
More information about the samba-technical
mailing list