Patch: Keytabs / Improving Samba's Interaction With Other Kerberized Services

Dan Perry dperry at pppl.gov
Fri May 21 15:10:49 GMT 2004


Hi All,

Here is a patch for Samba 3.0.4 that adds an option to disable Samba's own
keytab creation / management functions.   This patch prevents certain ads
functions from running, i.e. net ads join, net ads changetrustpw, etc.   It
also changes the kerberos_verify routines to verify an incoming Kerberos
transaction using the system's keytab, rather then generating an in-memory
keytab from the machine's trust password.

The patch can be downloaded from:

http://www.pppl.gov/~dperry/patches/samba-3.0.4-sys-keytab.diff

After patch is applied, run the autogen.sh script to rebuild the autoconf
script.   Configure will include an option '--with-system-keytab'.   This
will not be on by default, so a naive build of Samba with this patch applied
will behave exactly like an unpatched build.

If you apply this patch and enabled it during the configuration, you'll need
to manually do the work that 'net ads join' did.  Specifically, you will need
to have both a 'host' and 'cifs' principal in your system keytab for samba to
work.


Why would some want to use this patch and to create extra work (managing the
keytab manually) for themselves?   The main reason is to allow
interoperability between samba and other kerberized services.   As it's been
discussed on this list previously, it's impossible to run Samba and other
kerberized services when using Active directory as a KDC.   I've written a
small program, msktutil, that helps manage keytabs for a system using Active
Directory for a KDC.   You can check it out here:

http://www.pppl.gov/~dperry/msktutil/

Msktutil basically does what a 'net ads join' does - it will create or update
a computer account in Active Directory, set the password on that account, and
generate a keytab.  Msktutil also includes some other features that Samba
doesn't have, namely: 
 * it will preserve the kvno - 1 entries (so changing the computer's trust
password doesn't break any existing Kerberos sessions because the older
keytab entry for kvno - 1 will still be around)
 * it will allow additional keytabs entries other then host and cifs to be
specified
 * it will save the keytab to a file so all system services can share the
keytab.

The patch for Samba I mentioned above is designed to work with msktutil -
msktutil takes care of the keytabs, and Samba takes care of the file
serving...

Please send me any comments you may have on this.

Thanks,
Dan



More information about the samba-technical mailing list