[Samba] keytabs vs. secret store

Andrew Bartlett abartlet at samba.org
Sat May 28 22:35:57 GMT 2005

On Mon, 2005-05-23 at 15:48 -0400, Brian Jones wrote:
> Which is the preferred method of handling service principals when the
> samba server is an ads member -- turning
> on "use kerberos keytab" in smb.conf, or the default secrets.tdb?
> Is there any particular reason I should use one over the other?

secrets.tdb is far, far preferred.  It 'just works', the other option
was added for sites that are unable the change how their AD admin
operate their domain, and where they can only be handed out a keytab to
their unix servers (or where Samba, with a patch, is a member of an MIT

> Also, all I see in secrets.tdb is the the machine password while in
> krb5.keytab i see 100+ principals corresponding to various combinations
> of instance and enctype.  Is the password in the secret
> store used to generate keys which are kept in memory?  

Pretty much, yes.  We also use it to contact the DC on NETLOGON, to
allow NTLM logins and other useful things.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050529/066d285d/attachment.bin

More information about the samba mailing list