of keytabs, kerberos and winbindd

Matthieu Patou mat at matws.net
Thu Jun 14 13:02:19 MDT 2012

Hello all,

Currently in samba stable release we have 4 possibility related to the 
kerberos method:

1) secrets
2) system keytab
3) secret + system keytab
4) dedicated keytab

The man page indicate that "system keytab" and "dedicated keytab" is 
almost the same but the latter method relies on kerberos to find the 
correct keytab entry instead of filtering based on expected principals.

It turns out that if you use method 2 and method 3, the system keytab 
will be created or updated when samba join the domain (net ads join), 
the keytab is also updated if you do a net ads changetrustpw. This make 
the use of system keytab or secret + system keytab very desirable if you 
want to use kerberized services (ie. ssh or http) but then you loose the 
capacity to have winbindd changing periodically the password of the 
machine account used by samba.
I understand that this limitation is due to the fact that samba didn't 
control completely control the keytab update but then why update the 
keytab when we issue the changetrustpw. If we don't allow periodic 
password change when using kerberos method 2, 3 or 4 then I'm wondering 
if it wouldn't be interesting to have an option for kerberos method 1 to 
dump a keytab with samba's secret when joining, changing the password 
with changetrustpw and also when done periodically.
Is there anybody with strong feeling against this ?

Also I already discussed about the possibility for winbindd to accept a 
kerberos ticket for doing the authentication and group membership 
"lookup", the idea is that a user has already a kerberos ticket with PAC 
information it can used to authenticate and get the groups of the user 
without having winbindd doing a netlogon request to the DC, this is 
similar to what WINBINDD_PAM_AUTH do except that you specify a ticket 
instead of user and a password.

Any comments ?


More information about the samba-technical mailing list