[Fwd: Re: [PATCH] keytab management for ADS mode.]
Jeremy Allison
jra at samba.org
Sat Jan 31 01:04:29 GMT 2004
On Fri, Jan 30, 2004 at 07:56:42PM -0500, Rakesh Patel wrote:
> To summarize - I want to make sure it is clear what the functionality
> should be:
>
> keytab file - define file - if defined, use the keytab file for all
> operations? Or do we wish to continue
> to utilize the password from secrets.tdb? We can eliminate "keytab
> use" and just initialize credentials
> using the keytab if "keytab file" is specified. As per Andrew
> Bartlett all cases where secrets_fetch_machine_password()
> is utilized must have a function call to initialize the credentials
> from the keytab.
>
>
> Should we eliminate "keytab update" ? - If "keytab file" is specified
> and a "net ads join", "net ads changetrustpw",
> or "net ads keytab create" are done, we could just update the keytab and
> really should in that case.
> If the keytab is maintained externally to Samba, then users should never
> run any of these commands, however
> keeping "keytab update" maintains clarity - no updates unless
> explicitly specified. The safety is already there leave or remove?
>
> I believe we all agree "keytab use" has no value and has to be removed.
> I believe modifying the patch
> to complete the keytab credentials initialization so it will work with
> all Samba utilities is also important and
> basing it on "keytab file" definition is probably cleanest as per
> suggestions from the Samba team.
>
> Jeremy, I can make the changes easily - as long as we agree on the approach.
I only want one parameter : keytab file.
If this is set then everything uses the keytab - even though we still
store the password and kvno in secrets.tdb. Once that is set in smb.conf
then everything should also update the keytab file as well as secrets.tdb.
I will make the changes to the code to do this. I think I understand your
patch well enough to implement this.
It won't make 3.0.2, but maybe 3.0.3. I'd appreciate you evaluating what
I check into the CVS tree to make sure that this meets your needs.
Jeremy.
More information about the samba-technical
mailing list