[Fwd: Re: [PATCH] keytab management for ADS mode.]
Jeremy Allison
jra at samba.org
Sat Jan 31 00:42:56 GMT 2004
On Sun, Jan 25, 2004 at 04:02:46PM -0500, Rakesh Patel wrote:
>
> Hi.. now that I have had some testing done for both Windows and
> non-Windows KDC
> environments, I'd like to see Heimdal tested along with Windows2000 (I
> used Windows 2003/.NET
> and it has key version numbers while Win2000 does not). Also would be
> nice to have
> someone test a non-Windows KDC used with full Win2K domain/AD.
>
> I was also wondering if anyone had looked into having a Fedora desktop
> join a Win2K domain/AD
> and download the user profile to determine which shares to "automount"
> similarly to a 2000/XP desktop.
> The idea being kerberos credentials would be used for the SMB/CIFS
> access. I noticed nautilus is
> linked with the mit gssapi_krb5 library ,but I searched the sources and
> did not find any krb or gssapi calls.
> Ideally if nautilus used smb:// with kerberos credentials, it would have
> the same transparency that we can
> now provide from the Win2000/XP desktops to unix/Win2k file servers.
>
> The only other major concern I have is testing with winbind and other
> Samba functionality that was added.
> Since I am not utilziing winbind or other facilities for uid/username
> mapping, there are chances additional
> work will be required in those areas of the Samba code.
>
> Any suggestions/testing assistance would be appreciated. :-)
>
> Thanks to Geunther for putting together the code/functionality to get
> this effort rolling!!
Ok, I'm still applying a version of this patch and I don't understand
the code modification in ads_verify_ticket() that begins :
if ( lp_keytab_use ) {
/* Use Keytab to initialize credentials */
and continues to call krb5_get_init_creds_keytab(). What is this code
for ? It appears to be trying to get a ticket for the server ? Why ?
Surely the call to krb5_rd_req() later will verify the incoming client
ticket without this ?
Please explain this code very carefully or I cannot apply this.
Jeremy.
More information about the samba-technical
mailing list