[PATCH] keytab management for ADS mode.

Andrew Bartlett abartlet at samba.org
Tue Jan 27 10:43:28 GMT 2004

On Tue, 2004-01-27 at 12:43, Rakesh Patel wrote:
> Andrew, giving some thought to the process and reviewing additional 
> Samba code, if using a Kerberos
> environment without Win2K/AD, the "keytab use" is adequate since machine 
> passwords are only used
> for code which uses NTLM or managing the machine password with AD/KDC, 
> which is not expected
> of Samba.  Obviously this has very limited use since it can not be used 
> with a Domain and AD. Other
> than a workgroup situation, it almost has no value [ however I am able 
> to use it without problems at home].

So, you are suggesting that there are sites where the NTLM and kerberos 
password databases are separated, that AD trusts the external kerberos 
database and as such Samba should use it for the kerberos machine account?

> I am assuming that MIT/Heimdal now support the same password changing 
> protocol supported by Microsoft.

The issue is not that password change protocols, but the kerberos
administration protocols.  Samba does not speak any of them, apart from
the 'microsoft' one, being LDAP get/set requests, and a password set
kerberos request.

I do not think it is wise for Samba to create the keytab in this

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040127/a4cbcf1c/attachment.bin

More information about the samba-technical mailing list