salting in Samba4

Andrew Bartlett abartlet at
Tue Sep 22 18:11:34 MDT 2009

On Tue, 2009-09-22 at 19:05 -0500, Andrew Kroeger wrote:
> Andrew Bartlett wrote:
> > On Mon, 2009-09-21 at 14:34 -0500, Andrew Kroeger wrote:
> > 
> >> Andrew:
> > 
> >> I'm willing to run additional tests to help track this down if you are 
> >> having problems reproducing the issue.
> > 
> > I wondered if you might like to help write a new test to stop this
> > happening in future?
> I'd be happy to.
> > The test would be an extension to the 'net export keytab' test, that
> > uses 'ktutil <keytab> list --keys', grep sort and diff to compare the
> > keytab in the database with the one in the local secrets.keytab.  If
> > this ever differs, we have a big problem. 
> Just took a look at the ktutil on my Fedora system (which uses MIT 
> kerberos) and the ktutil command does not take any arguments.  It 
> appears the syntax you suggested is only available with the ktutil from 
> the heimdal kerberos.
> > We can then extend it to create a new machine account in AD, export it
> > with DRS and create the keytab locally.  Then we can compare that too.  
> > 
> > What do you think?
> If we can accomplish this in a kerberos-agnostic (MIT vs. heimdal) way, 
> I'm all for giving it a shot.  Do you have any ideas how we could do this?

Don't bother - just import the ktutil from Heimdal into the heimdal/
tree and build it like the other heimdal utilities with heimdal_build/

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list