Patch: Keytabs / Improving Samba's Interaction With Other Kerberized Services

Andrew Bartlett abartlet at
Fri May 21 23:17:53 GMT 2004

On Sat, 2004-05-22 at 01:10, Dan Perry wrote:
> Hi All,
> Here is a patch for Samba 3.0.4 that adds an option to disable Samba's own
> keytab creation / management functions.   This patch prevents certain ads
> functions from running, i.e. net ads join, net ads changetrustpw, etc.   It
> also changes the kerberos_verify routines to verify an incoming Kerberos
> transaction using the system's keytab, rather then generating an in-memory
> keytab from the machine's trust password.

The problem with this patch is that it completely disables our schannel
client support, as well as our ability to use kerberos to connect to a
domain controller.

Both of these rely on being able to get at the very least the type 23
key out of the keytab.  

Even with that aside, we do this, because we had a very painful
experience trying to make MIT kerberos correctly behave with the many
different ways an incoming MS client ticket can behave.   In particular,
I understand the host principal name seems to vary widely, particularly
in case.  Doing this 'properly' (which I long advocated) soon turned out
to be just too hard, in real life networks.

There is another set of patches floating around, that need to be
applied, that instead make Samba write out to the system keytab.  

(I thought jra was doing it, but more urgent things keep bumping things
off his priority queue).  

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list