[Fwd: Re: [PATCH] keytab management for ADS mode.]

Jeremy Allison jra at samba.org
Sat Jan 31 01:01:47 GMT 2004

On Fri, Jan 30, 2004 at 04:42:56PM -0800, Jeremy Allison wrote:
> Ok, I'm still applying a version of this patch and I don't understand
> the code modification in ads_verify_ticket() that begins :
>        if ( lp_keytab_use ) {
>          /* Use Keytab to initialize credentials */
> and continues to call krb5_get_init_creds_keytab(). What is this code
> for ? It appears to be trying to get a ticket for the server ? Why ?
> Surely the call to krb5_rd_req() later will verify the incoming client
> ticket without this ?
> Please explain this code very carefully or I cannot apply this.

In addition, I'm not happy with the get_kvno() function. This appears
to get a server ticket and then extract the kvno from it. The whole point
of using kerberos to verify incoming client tickets is not to contact
the KDC from the server end.

Now when winbindd needs a ticket to enumerate users then it may need
to get a host ticket, but we should not be making calls to the KDC
to verify an incoming client logon session.

If we're using secrets.tdb then we are controlling machine password
updates and can increment a kvno data entry on password change. If
we're using a keytab then we need to explicitly query the kvno from
the KDC when writing it.


More information about the samba-technical mailing list