Kerberos and AD joins
Wachdorf, Daniel R
drwachd at sandia.gov
Tue Mar 8 18:40:58 GMT 2005
We currently have a large Kerberos infrastructure in place. As part of
this we have Kerberized SSH in place. We have created a tool to create
computer type accounts in Active Directory. We set the userPrincpalName
to host/HOSTNAME at REALM and the servicePrincipalName to host/HOSTNAME.
(This seems to function much like the "net ads join" command.) We then
set the password for the computer and write out a Kerberos keytab file
to /etc/krb5.keytab to allow Kerberos authentication with SSH.
The "net ads join" command doesn't seem to create a keytab, but rather
creates the secrets.tdb file which appears to store the password used to
create the computer account.
This leads me to my two questions:
1- Would it be possible to modify samba to use a stored keytab
instead of the secrets.tdb file? Does the samba server actually need
the password, or would a Kerberos keytab with the key be sufficient.
2- Would I be able to grab the password out of the secrets.tdb file
and create a keytab file? My main concern here is does the password
change often?
Thanks.
-dan
--------------------------------------
Daniel Wachdorf
drwachd at sandia.gov
Sandia National Laboratories
Cyber Security Technologies
505-284-8060
More information about the samba-technical
mailing list