of keytabs, kerberos and winbindd

Steven Danneman steven at samba.org
Tue Jun 19 16:07:51 MDT 2012

> The dedicated keytab has been added by  Dan Sledz on commit
> d96248a9b46559552f53b0ecd3861387ea7ff050 a bit more than 3 years ago
> I think it was because of specials needs from Isilon, Steven can you
> comment, explain the uses cases ?

Hey Matthieu,

Being over 3 years ago my memory is a little fuzzy, but it was probably
an Isilon specific need.

At the time we were creating a machine account on every node in our
cluster each with a different password, and each of these nodes had a
separate name like foo-1, foo-2, foo-3, etc.  Yet, the entire cluster
could be accessed via a DNS round-robin resolver with a single name like

So I think we needed custom logic to accept service tickets encrypted
with the password for the foo principal, but lookup foo-1 in the keytab
or vice versa.


More information about the samba-technical mailing list