salting in Samba4
Andrew Bartlett
abartlet at samba.org
Tue Sep 22 18:11:34 MDT 2009
On Tue, 2009-09-22 at 19:05 -0500, Andrew Kroeger wrote:
> Andrew Bartlett wrote:
> > On Mon, 2009-09-21 at 14:34 -0500, Andrew Kroeger wrote:
> >
> >> Andrew:
> >
> >> I'm willing to run additional tests to help track this down if you are
> >> having problems reproducing the issue.
> >
> > I wondered if you might like to help write a new test to stop this
> > happening in future?
>
> I'd be happy to.
>
> > The test would be an extension to the 'net export keytab' test, that
> > uses 'ktutil <keytab> list --keys', grep sort and diff to compare the
> > keytab in the database with the one in the local secrets.keytab. If
> > this ever differs, we have a big problem.
>
> Just took a look at the ktutil on my Fedora system (which uses MIT
> kerberos) and the ktutil command does not take any arguments. It
> appears the syntax you suggested is only available with the ktutil from
> the heimdal kerberos.
>
> > We can then extend it to create a new machine account in AD, export it
> > with DRS and create the keytab locally. Then we can compare that too.
> >
> > What do you think?
>
> If we can accomplish this in a kerberos-agnostic (MIT vs. heimdal) way,
> I'm all for giving it a shot. Do you have any ideas how we could do this?
Don't bother - just import the ktutil from Heimdal into the heimdal/
tree and build it like the other heimdal utilities with heimdal_build/
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090922/121b3de8/attachment.pgp>
More information about the samba-technical
mailing list