Should krbtgt be in a keytab, rather than hdb?
abartlet at samba.org
Thu Dec 1 09:59:31 GMT 2005
I'm working on Samba4's KDC, and it occurs to me that when the KDC is
receiving a TGS-REQ, it should be checking the incoming packet against a
keytab, rather than hdb.
It seems that the receipt of the TGS-REQ is much more like an
application server than the issuing of tickets.
In particular, I was thinking about the issue of key changes. With a
keytab, both kvno and kvno-1 can be stored, allowing the krbtgt and more
importantly the inter-realm trust keys to be changed.
I don't fully understand how inter-realm trusts work, but I think this
would also allow different keys in each direction, something that I
think Microsoft does.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051201/b44a09c9/attachment.bin
More information about the samba-technical