Should krbtgt be in a keytab, rather than hdb?

Love Hörnquist Åstrand lha at
Thu Dec 1 13:38:43 GMT 2005

Andrew Bartlett <abartlet at> writes:

> I'm working on Samba4's KDC, and it occurs to me that when the KDC is
> receiving a TGS-REQ, it should be checking the incoming packet against a
> keytab, rather than hdb.
> It seems that the receipt of the TGS-REQ is much more like an
> application server than the issuing of tickets.  
> In particular, I was thinking about the issue of key changes.  With a
> keytab, both kvno and kvno-1 can be stored, allowing the krbtgt and more
> importantly the inter-realm trust keys to be changed.  

Its true, but I think they should be stored in the database since in the
common case, the database is propagated to slavesl. I've been thinking
about adding extra keys in the hdb extension thingy for the krbtgt's.

> I don't fully understand how inter-realm trusts work, but I think this
> would also allow different keys in each direction, something that I
> think Microsoft does.

inter-realm already allow multiple keys, the name of the keys are
krbtgtg/REALM1 at REALM2 and krbtgtg/REALM2 at REALM1, and they both (or just one
of them if its not a transitive trust) are stored in the database on both
sides. So you can have diffrent keys in each direction.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url :

More information about the samba-technical mailing list