Patch: System keytab usage improvements
abartlet at samba.org
Fri Jun 11 22:08:56 GMT 2004
On Sat, 2004-06-12 at 07:46, Jeremy Allison wrote:
> On Fri, Jun 11, 2004 at 02:10:05PM -0700, James, Garrick wrote:
> > We did some testing with this patch applied to Samba in a Win 2k AD
> > domain. All of our testing worked like a charm. :-)
> > We were able to add Samba servers to the AD realm/domain successfully
> > (both specifying a specific OU or using the default OU). We configured
> > pam_krb5 into our PAM stack and now pam-aware applications validate
> > credentials using kerberos. We manually change the system's account
> > password (using the net command) and everything continued to work great.
> > Cool stuff!
> > Are there any outstanding issues that would prevent Dan's patch from
> > being rolled into the next release of Samba 3.0.x?
> I'm evaluating this patch right now. It looks like all the previous
> issues I was worried about have been addressed.
> I'm going to merge this for Samba 3.0.5pre2.
> > Our AD guys had one question for me to which I have not been able to
> > track down the answer. They wanted to know how often Samba changes its
> > machine account password. I found some stuff in various documents
> > discussing a parameter that can be tuned to control this for when
> > security = domain, but I haven't been able to find any info on this for
> > when security = ADS.
> I think it uses the same timeout (although I need to check the code).
> > Does anyone know whether Samba changes its machine account password
> > periodically when in ADS mode? How often? Can the frequency be tuned
> > in smb.conf? Dan, does your patch change any of this behavior?
> I'll check this out in the code, although my guess would be it changes
> it on the same time frequency that it does for an RPC password change.
Currently, we don't. Only way to change it is with a cron based 'net
ads changetrustpw' command.
> Thanks a *LOT* for this work. It is *much* appreciated !
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040612/9774ccf9/attachment.bin
More information about the samba-technical