Patch: System keytab usage improvements

Andrew Bartlett abartlet at
Tue Jun 1 00:07:52 GMT 2004

On Tue, 2004-06-01 at 08:20, Dan Perry wrote:
> Hi all,
> Here is a patch to samba-3.0.5pre1 that enables use of a file system keytab,
> and enhances keytab functionality.   You can download the patch from here:
> This patch is a combination of the previous patches I've submitted, and
> applying it will do the following things:

Thanks for keeping up with this.  This is an important set of patches,
and I'm sorry it's taken so long.

> - adds a set of 'net ads keytab' commands
> - makes 'net ads join' write out a keytab with, at minimum, host and cifs
> entries, to the default system keytab.
> - makes 'net ads changetrustpw' update all entries in the system keytab when
> the password is changed.
> - determines the kvno from a windows 2003 domain controller by doing an ldap
> lookup.   The kvno for a 2000 domain is always 0.
> - uses a fully qualified domain name for the keytab entries, instead of a
> netbios style name.


> - keeps the older (current kvno - 1) entries in the system keytab when the
> machine password is changed.   This prevents clients with existing session
> tickets for breaking when the machine password is changed and the kvno
> increments.   This behavior is exactly what Microsoft does.

Why only kvno -1?  Could we not need keys even older than that?

> - makes smbd's kerberos_verify() routine check the default system keytab.
> Since the default system keytab will have entries with the current kvno and
> kvno - 1, as per the comment above, this allows smbd to use the older kvno -1
> keytab entry and prevents a machine password change from interrupting exist
> client sessions.

This is the main part of the patch I object to.  I think that we should
structure the storage in secrets.tdb in this way (we need the previous
password anyway, to fix a bug in some other parts of Samba).  I know we
avoided recording the password into the keytab for a reason...

I think that after checking the passwords in secrets.tdb, we should
*then* check the system keytab, because we might be in an MIT realm, or
some other interesting thing.  

> - adds 'net ads keytab add <principal>' command that allows net to add other
> entries into the keytab, for other kerberized service like ldap or afs.
> - adds 'net ads keytab flush' which cleans out all entries in the keytab,
> allowing you to prevent the kvno - 1 entries from being preserved in the
> keytab, if you so desire.
> - adds 'net ads keytab create' which creates a new keytab based on the
> existing machine password.
> - makes sure that any custom principals added to the keytab using 'net ads
> keytab add' or another program are both preserved and updated on a machine
> password change.
> Unlike the older versions of this patch, no new configuration file or compile
> time options are introduced.   This patch is designed to use the system
> keytab if possible, otherwise samba will ignore the new code and work exactly
> as it did before the patch.

This sounds good.  Samba has too many options already :-)

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list