Patch: Keytabs / Improving Samba's Interaction With Other Kerberized Services

Andrew Bartlett abartlet at samba.org
Fri May 21 23:17:53 GMT 2004 

On Sat, 2004-05-22 at 01:10, Dan Perry wrote:
> Hi All,
> 
> Here is a patch for Samba 3.0.4 that adds an option to disable Samba's own
> keytab creation / management functions.   This patch prevents certain ads
> functions from running, i.e. net ads join, net ads changetrustpw, etc.   It
> also changes the kerberos_verify routines to verify an incoming Kerberos
> transaction using the system's keytab, rather then generating an in-memory
> keytab from the machine's trust password.

The problem with this patch is that it completely disables our schannel
client support, as well as our ability to use kerberos to connect to a
domain controller.

Both of these rely on being able to get at the very least the type 23
key out of the keytab.  

Even with that aside, we do this, because we had a very painful
experience trying to make MIT kerberos correctly behave with the many
different ways an incoming MS client ticket can behave.   In particular,
I understand the host principal name seems to vary widely, particularly
in case.  Doing this 'properly' (which I long advocated) soon turned out
to be just too hard, in real life networks.

There is another set of patches floating around, that need to be
applied, that instead make Samba write out to the system keytab.  

(I thought jra was doing it, but more urgent things keep bumping things
off his priority queue).  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040522/5813acce/attachment.bin

More information about the samba-technical mailing list