Patch: System keytab usage improvements

Andrew Bartlett abartlet at samba.org
Fri Jun 11 22:08:56 GMT 2004 

On Sat, 2004-06-12 at 07:46, Jeremy Allison wrote:
> On Fri, Jun 11, 2004 at 02:10:05PM -0700, James, Garrick wrote:
> 
> > We did some testing with this patch applied to Samba in a Win 2k AD
> > domain.  All of our testing worked like a charm.  :-)
> > 
> > We were able to add Samba servers to the AD realm/domain successfully
> > (both specifying a specific OU or using the default OU).  We configured
> > pam_krb5 into our PAM stack and now pam-aware applications validate
> > credentials using kerberos.  We manually change the system's account
> > password (using the net command) and everything continued to work great.
> > Cool stuff!
> > 
> > Are there any outstanding issues that would prevent Dan's patch from
> > being rolled into the next release of Samba 3.0.x?
> 
> I'm evaluating this patch right now. It looks like all the previous
> issues I was worried about have been addressed.
> 
> I'm going to merge this for Samba 3.0.5pre2.

Thanks!

> > Our AD guys had one question for me to which I have not been able to
> > track down the answer.  They wanted to know how often Samba changes its
> > machine account password.  I found some stuff in various documents
> > discussing a parameter that can be tuned to control this for when
> > security = domain, but I haven't been able to find any info on this for
> > when security = ADS.
> 
> I think it uses the same timeout (although I need to check the code).
> 
> > Does anyone know whether Samba changes its machine account password
> > periodically when in ADS mode?  How often?  Can the frequency be tuned
> > in smb.conf?  Dan, does your patch change any of this behavior?
> 
> I'll check this out in the code, although my guess would be it changes
> it on the same time frequency that it does for an RPC password change.

Currently, we don't.  Only way to change it is with a cron based 'net
ads changetrustpw' command.

> Thanks a *LOT* for this work. It is *much* appreciated !

Strongly seconded,

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040612/9774ccf9/attachment.bin

More information about the samba-technical mailing list