salting in Samba4

Andrew Kroeger andrew at
Tue Sep 22 18:05:27 MDT 2009

Andrew Bartlett wrote:
> On Mon, 2009-09-21 at 14:34 -0500, Andrew Kroeger wrote:
>> Andrew:
>> I'm willing to run additional tests to help track this down if you are 
>> having problems reproducing the issue.
> I wondered if you might like to help write a new test to stop this
> happening in future?

I'd be happy to.

> The test would be an extension to the 'net export keytab' test, that
> uses 'ktutil <keytab> list --keys', grep sort and diff to compare the
> keytab in the database with the one in the local secrets.keytab.  If
> this ever differs, we have a big problem. 

Just took a look at the ktutil on my Fedora system (which uses MIT 
kerberos) and the ktutil command does not take any arguments.  It 
appears the syntax you suggested is only available with the ktutil from 
the heimdal kerberos.

> We can then extend it to create a new machine account in AD, export it
> with DRS and create the keytab locally.  Then we can compare that too.  
> What do you think?

If we can accomplish this in a kerberos-agnostic (MIT vs. heimdal) way, 
I'm all for giving it a shot.  Do you have any ideas how we could do this?

> Andrew Bartlett

Andrew Kroeger

More information about the samba-technical mailing list