[Fwd: Re: [PATCH] keytab management for ADS mode.]

Jeremy Allison jra at samba.org
Sat Jan 31 01:04:29 GMT 2004


On Fri, Jan 30, 2004 at 07:56:42PM -0500, Rakesh Patel wrote:
> To summarize - I want to make sure it is clear what the functionality 
> should be:
> 
> keytab file -  define file - if defined, use the keytab file for all 
> operations? Or do we wish to continue
>    to utilize the password from secrets.tdb?   We can eliminate "keytab 
> use" and just initialize credentials
>    using the keytab if "keytab file" is specified. As per Andrew 
> Bartlett all cases where secrets_fetch_machine_password()
>    is utilized must have a function call to initialize the credentials 
> from the keytab.
> 
> 
> Should we eliminate "keytab update" ? - If "keytab file" is specified 
> and a "net ads join", "net ads changetrustpw",
> or "net ads keytab create" are done, we could just update the keytab and 
> really should in that case. 
> If the keytab is maintained externally to Samba, then users should never 
> run any of these commands, however
> keeping  "keytab update" maintains clarity - no updates unless 
> explicitly specified. The safety is already there leave or remove?
> 
> I believe we all agree "keytab use" has no value and has to be removed. 
> I believe modifying the patch
> to complete the keytab credentials initialization so it will work with 
> all Samba utilities is also important and
> basing it on "keytab file" definition is probably cleanest as per 
> suggestions from the Samba team.
> 
> Jeremy, I can make the changes easily - as long as we agree on the approach.

I only want one parameter : keytab file.

If this is set then everything uses the keytab - even though we still
store the password and kvno in secrets.tdb. Once that is set in smb.conf
then everything should also update the keytab file as well as secrets.tdb.

I will make the changes to the code to do this. I think I understand your
patch well enough to implement this.

It won't make 3.0.2, but maybe 3.0.3. I'd appreciate you evaluating what
I check into the CVS tree to make sure that this meets your needs.

Jeremy.


More information about the samba-technical mailing list