Patch: Keytabs / Improving Samba's Interaction With Other
abartlet at samba.org
Fri May 21 23:17:53 GMT 2004
On Sat, 2004-05-22 at 01:10, Dan Perry wrote:
> Hi All,
> Here is a patch for Samba 3.0.4 that adds an option to disable Samba's own
> keytab creation / management functions. This patch prevents certain ads
> functions from running, i.e. net ads join, net ads changetrustpw, etc. It
> also changes the kerberos_verify routines to verify an incoming Kerberos
> transaction using the system's keytab, rather then generating an in-memory
> keytab from the machine's trust password.
The problem with this patch is that it completely disables our schannel
client support, as well as our ability to use kerberos to connect to a
Both of these rely on being able to get at the very least the type 23
key out of the keytab.
Even with that aside, we do this, because we had a very painful
experience trying to make MIT kerberos correctly behave with the many
different ways an incoming MS client ticket can behave. In particular,
I understand the host principal name seems to vary widely, particularly
in case. Doing this 'properly' (which I long advocated) soon turned out
to be just too hard, in real life networks.
There is another set of patches floating around, that need to be
applied, that instead make Samba write out to the system keytab.
(I thought jra was doing it, but more urgent things keep bumping things
off his priority queue).
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040522/5813acce/attachment.bin
More information about the samba-technical