of keytabs, kerberos and winbindd
Matthieu Patou
mat at matws.net
Thu Jun 14 13:02:19 MDT 2012
Hello all,
Currently in samba stable release we have 4 possibility related to the
kerberos method:
1) secrets
2) system keytab
3) secret + system keytab
4) dedicated keytab
The man page indicate that "system keytab" and "dedicated keytab" is
almost the same but the latter method relies on kerberos to find the
correct keytab entry instead of filtering based on expected principals.
It turns out that if you use method 2 and method 3, the system keytab
will be created or updated when samba join the domain (net ads join),
the keytab is also updated if you do a net ads changetrustpw. This make
the use of system keytab or secret + system keytab very desirable if you
want to use kerberized services (ie. ssh or http) but then you loose the
capacity to have winbindd changing periodically the password of the
machine account used by samba.
I understand that this limitation is due to the fact that samba didn't
control completely control the keytab update but then why update the
keytab when we issue the changetrustpw. If we don't allow periodic
password change when using kerberos method 2, 3 or 4 then I'm wondering
if it wouldn't be interesting to have an option for kerberos method 1 to
dump a keytab with samba's secret when joining, changing the password
with changetrustpw and also when done periodically.
Is there anybody with strong feeling against this ?
Also I already discussed about the possibility for winbindd to accept a
kerberos ticket for doing the authentication and group membership
"lookup", the idea is that a user has already a kerberos ticket with PAC
information it can used to authenticate and get the groups of the user
without having winbindd doing a netlogon request to the DC, this is
similar to what WINBINDD_PAM_AUTH do except that you specify a ticket
instead of user and a password.
Any comments ?
Matthieu.
More information about the samba-technical
mailing list