Patch: System keytab usage improvements

Jeremy Allison jra at
Fri Jun 11 21:46:32 GMT 2004

On Fri, Jun 11, 2004 at 02:10:05PM -0700, James, Garrick wrote:

> We did some testing with this patch applied to Samba in a Win 2k AD
> domain.  All of our testing worked like a charm.  :-)
> We were able to add Samba servers to the AD realm/domain successfully
> (both specifying a specific OU or using the default OU).  We configured
> pam_krb5 into our PAM stack and now pam-aware applications validate
> credentials using kerberos.  We manually change the system's account
> password (using the net command) and everything continued to work great.
> Cool stuff!
> Are there any outstanding issues that would prevent Dan's patch from
> being rolled into the next release of Samba 3.0.x?

I'm evaluating this patch right now. It looks like all the previous
issues I was worried about have been addressed.

I'm going to merge this for Samba 3.0.5pre2.

> Our AD guys had one question for me to which I have not been able to
> track down the answer.  They wanted to know how often Samba changes its
> machine account password.  I found some stuff in various documents
> discussing a parameter that can be tuned to control this for when
> security = domain, but I haven't been able to find any info on this for
> when security = ADS.

I think it uses the same timeout (although I need to check the code).

> Does anyone know whether Samba changes its machine account password
> periodically when in ADS mode?  How often?  Can the frequency be tuned
> in smb.conf?  Dan, does your patch change any of this behavior?

I'll check this out in the code, although my guess would be it changes
it on the same time frequency that it does for an RPC password change.

Thanks a *LOT* for this work. It is *much* appreciated !


More information about the samba-technical mailing list