salting in Samba4
Andrew Kroeger
andrew at id10ts.net
Tue Sep 22 18:05:27 MDT 2009
Andrew Bartlett wrote:
> On Mon, 2009-09-21 at 14:34 -0500, Andrew Kroeger wrote:
>
>> Andrew:
>
>> I'm willing to run additional tests to help track this down if you are
>> having problems reproducing the issue.
>
> I wondered if you might like to help write a new test to stop this
> happening in future?
I'd be happy to.
> The test would be an extension to the 'net export keytab' test, that
> uses 'ktutil <keytab> list --keys', grep sort and diff to compare the
> keytab in the database with the one in the local secrets.keytab. If
> this ever differs, we have a big problem.
Just took a look at the ktutil on my Fedora system (which uses MIT
kerberos) and the ktutil command does not take any arguments. It
appears the syntax you suggested is only available with the ktutil from
the heimdal kerberos.
> We can then extend it to create a new machine account in AD, export it
> with DRS and create the keytab locally. Then we can compare that too.
>
> What do you think?
If we can accomplish this in a kerberos-agnostic (MIT vs. heimdal) way,
I'm all for giving it a shot. Do you have any ideas how we could do this?
> Andrew Bartlett
Sincerely,
Andrew Kroeger
More information about the samba-technical
mailing list