Should krbtgt be in a keytab, rather than hdb?

Andrew Bartlett abartlet at
Thu Dec 1 09:59:31 GMT 2005

I'm working on Samba4's KDC, and it occurs to me that when the KDC is
receiving a TGS-REQ, it should be checking the incoming packet against a
keytab, rather than hdb.

It seems that the receipt of the TGS-REQ is much more like an
application server than the issuing of tickets.  

In particular, I was thinking about the issue of key changes.  With a
keytab, both kvno and kvno-1 can be stored, allowing the krbtgt and more
importantly the inter-realm trust keys to be changed.  

I don't fully understand how inter-realm trusts work, but I think this
would also allow different keys in each direction, something that I
think Microsoft does.

Andrew Bartlett 
Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list