Patch: System keytab usage improvements
abartlet at samba.org
Tue Jun 1 00:07:52 GMT 2004
On Tue, 2004-06-01 at 08:20, Dan Perry wrote:
> Hi all,
> Here is a patch to samba-3.0.5pre1 that enables use of a file system keytab,
> and enhances keytab functionality. You can download the patch from here:
> This patch is a combination of the previous patches I've submitted, and
> applying it will do the following things:
Thanks for keeping up with this. This is an important set of patches,
and I'm sorry it's taken so long.
> - adds a set of 'net ads keytab' commands
> - makes 'net ads join' write out a keytab with, at minimum, host and cifs
> entries, to the default system keytab.
> - makes 'net ads changetrustpw' update all entries in the system keytab when
> the password is changed.
> - determines the kvno from a windows 2003 domain controller by doing an ldap
> lookup. The kvno for a 2000 domain is always 0.
> - uses a fully qualified domain name for the keytab entries, instead of a
> netbios style name.
> - keeps the older (current kvno - 1) entries in the system keytab when the
> machine password is changed. This prevents clients with existing session
> tickets for breaking when the machine password is changed and the kvno
> increments. This behavior is exactly what Microsoft does.
Why only kvno -1? Could we not need keys even older than that?
> - makes smbd's kerberos_verify() routine check the default system keytab.
> Since the default system keytab will have entries with the current kvno and
> kvno - 1, as per the comment above, this allows smbd to use the older kvno -1
> keytab entry and prevents a machine password change from interrupting exist
> client sessions.
This is the main part of the patch I object to. I think that we should
structure the storage in secrets.tdb in this way (we need the previous
password anyway, to fix a bug in some other parts of Samba). I know we
avoided recording the password into the keytab for a reason...
I think that after checking the passwords in secrets.tdb, we should
*then* check the system keytab, because we might be in an MIT realm, or
some other interesting thing.
> - adds 'net ads keytab add <principal>' command that allows net to add other
> entries into the keytab, for other kerberized service like ldap or afs.
> - adds 'net ads keytab flush' which cleans out all entries in the keytab,
> allowing you to prevent the kvno - 1 entries from being preserved in the
> keytab, if you so desire.
> - adds 'net ads keytab create' which creates a new keytab based on the
> existing machine password.
> - makes sure that any custom principals added to the keytab using 'net ads
> keytab add' or another program are both preserved and updated on a machine
> password change.
> Unlike the older versions of this patch, no new configuration file or compile
> time options are introduced. This patch is designed to use the system
> keytab if possible, otherwise samba will ignore the new code and work exactly
> as it did before the patch.
This sounds good. Samba has too many options already :-)
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040601/1521e9b1/attachment.bin
More information about the samba-technical