Patch: System keytab usage improvements

Andrew Bartlett abartlet at samba.org
Wed Jun 16 02:44:19 GMT 2004 

On Sat, 2004-06-12 at 07:46, Jeremy Allison wrote:
> On Fri, Jun 11, 2004 at 02:10:05PM -0700, James, Garrick wrote:
> 
> > We did some testing with this patch applied to Samba in a Win 2k AD
> > domain.  All of our testing worked like a charm.  :-)
> > 
> > We were able to add Samba servers to the AD realm/domain successfully
> > (both specifying a specific OU or using the default OU).  We configured
> > pam_krb5 into our PAM stack and now pam-aware applications validate
> > credentials using kerberos.  We manually change the system's account
> > password (using the net command) and everything continued to work great.
> > Cool stuff!
> > 
> > Are there any outstanding issues that would prevent Dan's patch from
> > being rolled into the next release of Samba 3.0.x?
> 
> I'm evaluating this patch right now. It looks like all the previous
> issues I was worried about have been addressed.
> 
> I'm going to merge this for Samba 3.0.5pre2.

There is one more feature that would make this patch really do wonders
for moving away from MS.  We need a 'server kerberos auth' parameter,
that is independent of the 'security=ads' stuff.  

This would, for a 'security=user' machine, offer and allow kerberos
authentication, against the externally administered keytab.  Where we
have Samba being used for those who have real MIT/heimdal realms, and no
Active Directory, this would really help.

For too long, Samba's Kerberos support has relied on Active Directory,
and that's just silly :-)

(I'll add this in, as soon as the patch hits the tree, if nobody beats
me to it).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040616/9b6a00f0/attachment.bin

More information about the samba-technical mailing list