Patch: System keytab usage improvements

Andrew Bartlett abartlet at
Wed Jun 16 02:44:19 GMT 2004

On Sat, 2004-06-12 at 07:46, Jeremy Allison wrote:
> On Fri, Jun 11, 2004 at 02:10:05PM -0700, James, Garrick wrote:
> > We did some testing with this patch applied to Samba in a Win 2k AD
> > domain.  All of our testing worked like a charm.  :-)
> > 
> > We were able to add Samba servers to the AD realm/domain successfully
> > (both specifying a specific OU or using the default OU).  We configured
> > pam_krb5 into our PAM stack and now pam-aware applications validate
> > credentials using kerberos.  We manually change the system's account
> > password (using the net command) and everything continued to work great.
> > Cool stuff!
> > 
> > Are there any outstanding issues that would prevent Dan's patch from
> > being rolled into the next release of Samba 3.0.x?
> I'm evaluating this patch right now. It looks like all the previous
> issues I was worried about have been addressed.
> I'm going to merge this for Samba 3.0.5pre2.

There is one more feature that would make this patch really do wonders
for moving away from MS.  We need a 'server kerberos auth' parameter,
that is independent of the 'security=ads' stuff.  

This would, for a 'security=user' machine, offer and allow kerberos
authentication, against the externally administered keytab.  Where we
have Samba being used for those who have real MIT/heimdal realms, and no
Active Directory, this would really help.

For too long, Samba's Kerberos support has relied on Active Directory,
and that's just silly :-)

(I'll add this in, as soon as the patch hits the tree, if nobody beats
me to it).

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list