[Fwd: Re: [PATCH] keytab management for ADS mode.]

Jeremy Allison jra at samba.org
Sat Jan 31 00:42:56 GMT 2004

On Sun, Jan 25, 2004 at 04:02:46PM -0500, Rakesh Patel wrote:
> Hi..   now that I have had some testing done for both Windows and 
> non-Windows KDC
> environments,  I'd like to see Heimdal tested along with Windows2000 (I 
> used Windows 2003/.NET
> and it has key version numbers while Win2000 does not).  Also would be 
> nice to have
> someone test a non-Windows KDC used with full Win2K domain/AD.
> I was also wondering if anyone had looked into having a Fedora desktop 
> join a Win2K domain/AD
> and download the user profile to determine which shares to "automount"  
> similarly to a 2000/XP desktop.
> The idea being kerberos credentials would be used for the SMB/CIFS 
> access.  I noticed nautilus is
> linked with the mit gssapi_krb5 library ,but I searched the sources and 
> did not find any krb or gssapi calls.
> Ideally if nautilus used smb:// with kerberos credentials, it would have 
> the same transparency that we can
> now provide from the Win2000/XP desktops to unix/Win2k file servers.
> The only other major concern I have is testing with winbind and other 
> Samba functionality that was added.
> Since I am not utilziing winbind or other facilities for uid/username 
> mapping,  there are chances additional
> work will be required in those areas of the Samba code.
> Any suggestions/testing assistance would be appreciated. :-) 
> Thanks to Geunther for putting together the code/functionality  to get 
> this effort rolling!!

Ok, I'm still applying a version of this patch and I don't understand
the code modification in ads_verify_ticket() that begins :

       if ( lp_keytab_use ) {
         /* Use Keytab to initialize credentials */

and continues to call krb5_get_init_creds_keytab(). What is this code
for ? It appears to be trying to get a ticket for the server ? Why ?

Surely the call to krb5_rd_req() later will verify the incoming client
ticket without this ?

Please explain this code very carefully or I cannot apply this.


More information about the samba-technical mailing list